f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
Size

550KB
MD5

30bfa3473ae949b3bed3075fcc354ba3
SHA1

d11b0f1c6d70dd43de9a4413be941b8363a6c4fb
SHA256

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983
SHA512

39401222ce9dc245d8263f3d0db2c32f56a9ca73ac56fbebac076e0635fdf70423e80119d34b9bc02b07788efd3977efa68a27e9c19c11031639e27f7bcd5dfd
SSDEEP

12288:JXCNi9BX0gpA6Hody5Xv4C8R7pb0OFMO5FLvUtfR7i:sWkCVH/5Xohpb0Yl5+tfRW

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exef054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

description	ioc	process
File opened (read-only)	\??\A:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\B:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\O:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\V:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\I:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\K:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\N:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\S:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\W:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\X:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\Z:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\G:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\H:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\J:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\L:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\M:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\P:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\T:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\E:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\Q:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\R:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\U:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\Y:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Drops file in System32 directory 12 IoCs

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\tyrkish porn lesbian girls titts traffic (Karin).zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\IME\SHARED\horse big (Sylvia).avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\IME\SHARED\lesbian [milf] glans black hairunshaved .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\System32\DriverStore\Temp\beast hidden titts (Gina,Curtney).zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\FxsTmp\norwegian trambling uncut 50+ .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\italian action blowjob public glans penetration .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\russian kicking gay big glans girly .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american horse bukkake licking feet gorgeoushorny (Tatjana).zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\config\systemprofile\hardcore uncut .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish fetish lingerie [bangbus] redhair .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lingerie girls glans mature (Jade).mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\tyrkish handjob hardcore licking cock .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Drops file in Program Files directory 19 IoCs

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\swedish horse horse hidden hole .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\japanese fetish bukkake sleeping titts circumcision .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\kicking hardcore lesbian hole .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\fucking voyeur hole circumcision .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Google\Temp\beast full movie hole shoes .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Google\Update\Download\bukkake uncut cock high heels .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\xxx masturbation feet (Kathrin,Melissa).mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files\dotnet\shared\japanese action gay [free] cock granny (Janette).avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian action blowjob [milf] boots (Sonja,Jade).rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files\Microsoft Office\root\Templates\sperm [bangbus] gorgeoushorny .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\fucking big granny .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\brasilian action horse lesbian cock .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{A22979E4-D188-4AF0-A888-04FE21284B11}\EDGEMITMP_19EA3.tmp\bukkake public feet .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\bukkake full movie hotel .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files\Common Files\microsoft shared\tyrkish cum blowjob licking .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\lesbian voyeur titts hotel .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\lingerie hidden blondie .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Microsoft\Temp\american cum horse [bangbus] feet hairy (Samantha).avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\russian fetish lingerie girls sm .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Drops file in Windows directory 64 IoCs

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\horse masturbation (Samantha).mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\russian porn sperm masturbation hairy .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\black kicking sperm [milf] hole lady .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\swedish handjob xxx several models hole (Britney,Tatjana).avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\Downloaded Program Files\american kicking lesbian big .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\horse catfight glans penetration (Liz).zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\danish action trambling masturbation (Liz).rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\malaysia beast hot (!) (Jade).zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\chinese hardcore public femdom .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\action lingerie [bangbus] mistress .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\asian lingerie sleeping ejaculation .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\kicking blowjob catfight .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\american kicking gay uncut hole leather (Janette).zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\malaysia bukkake girls upskirt .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\malaysia lingerie catfight (Melissa).mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\french xxx big ejaculation .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\indian beastiality gay uncut castration .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\tyrkish porn xxx hidden cock .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\brasilian action lesbian big feet shoes .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\assembly\tmp\brasilian kicking lesbian sleeping .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SoftwareDistribution\Download\black horse horse licking glans .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\american nude fucking voyeur cock (Jenna,Liz).mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\kicking lesbian catfight stockings .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\swedish handjob bukkake [free] .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\lingerie catfight (Samantha).rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\african beast [bangbus] .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\fucking full movie balls .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\kicking lingerie lesbian (Melissa).mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\gay full movie hole pregnant .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\horse [milf] (Karin).mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\black animal beast uncut upskirt .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\italian action lingerie [bangbus] (Janette).avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\african fucking [milf] hole girly .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\canadian xxx sleeping .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\kicking fucking lesbian hole .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\assembly\temp\bukkake catfight feet .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\american nude fucking public cock .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\swedish cumshot fucking uncut sm .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\PLA\Templates\brasilian animal horse [free] balls .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\animal fucking girls upskirt .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\african trambling [bangbus] granny .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\indian fetish gay voyeur lady .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\brasilian kicking blowjob masturbation swallow .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\african xxx [bangbus] 50+ .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\security\templates\trambling sleeping mature .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\brasilian cum lesbian [bangbus] titts stockings .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\gang bang fucking public hole (Jenna,Tatjana).avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\CbsTemp\russian nude bukkake [free] cock bedroom .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\lesbian several models .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\horse gay hidden (Liz).zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\InputMethod\SHARED\russian beastiality hardcore voyeur glans young .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\sperm [milf] titts bondage .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\trambling voyeur (Janette).avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\fucking masturbation fishy .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\bukkake lesbian .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\canadian lingerie [free] .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\action blowjob public feet gorgeoushorny (Samantha).rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\danish fetish bukkake lesbian .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\french blowjob masturbation young .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\asian blowjob [milf] feet .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\american action hardcore hidden titts .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\cumshot lingerie public latex .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\porn blowjob girls 40+ .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\american horse sperm catfight .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exef054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exef054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exef054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

pid	process
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3876	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
3852	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exef054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

description	pid	process	target process
PID 1572 wrote to memory of 2684	1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 1572 wrote to memory of 2684	1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 1572 wrote to memory of 2684	1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 1572 wrote to memory of 3852	1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 1572 wrote to memory of 3852	1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 1572 wrote to memory of 3852	1572	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 2684 wrote to memory of 3876	2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 2684 wrote to memory of 3876	2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 2684 wrote to memory of 3876	2684	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
"C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
"C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
"C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3876

C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
"C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:5112

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\fucking big granny .rar.exe
Filesize
635KB

MD5
1c40b911b85f1a8aaf98072375e363b9

SHA1
bd6baef36fca8116e6a89ac18f5a6af73c85233f

SHA256
bc68527d30162c8c4aa8eccdb876b5cd32798f2d3f7bb63e336f0d4c09b5b845

SHA512
99c032d99a54694071b5fe27e5d43315fa5a8f5c0b0330b569219f57dd061910bec9bd47c7d034794f88e2119fe300f95f87e9401b7dad636a237dff20700dad

Download Submit