rms | 9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827

Analysis

max time kernel
21s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
Size

6.2MB
MD5

c868ed63d0a3667bcc78e15c0e9216e6
SHA1

d7b1f6a519c81ae7db5b5d18b26252e049bfe502
SHA256

9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827
SHA512

8e4f07215a1e8fec3ade29496170302eaf569c5eaadb90e6e32aebe2200cb7041c68d3a9037be5ea2e059b77654aed517d5fdaa61da42cffbc9ea7bf2c526342

Score

10^/10

rms evasion persistence rat trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1systemsmss.exe, explorer.exe"	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1systemsmss.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 3 IoCs

pid	Process
4560	1systemsmss.exe
2160	svnhost.exe
4940	svnhost.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1systemsmss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	1systemsmss.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File opened for modification	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File created	C:\Windows\Zont911\Tupe.bat	1systemsmss.exe
File opened for modification	C:\Windows\System64\1systemsmss.exe	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
File created	C:\Windows\Zont911\Regedit.reg	1systemsmss.exe
File created	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File created	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File created	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File created	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File opened for modification	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File created	C:\Windows\System64\1systemsmss.exe	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
File created	C:\Windows\Zont911\Home.zip	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
8	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	svnhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2160	svnhost.exe
4940	svnhost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4560	3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe	79
PID 3368 wrote to memory of 4560	3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe	79
PID 3368 wrote to memory of 4560	3368	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe	79
PID 4560 wrote to memory of 8	4560	1systemsmss.exe	80
PID 4560 wrote to memory of 8	4560	1systemsmss.exe	80
PID 4560 wrote to memory of 8	4560	1systemsmss.exe	80
PID 4560 wrote to memory of 3832	4560	1systemsmss.exe	82
PID 4560 wrote to memory of 3832	4560	1systemsmss.exe	82
PID 4560 wrote to memory of 3832	4560	1systemsmss.exe	82
PID 3832 wrote to memory of 4944	3832	cmd.exe	84
PID 3832 wrote to memory of 4944	3832	cmd.exe	84
PID 3832 wrote to memory of 4944	3832	cmd.exe	84
PID 3832 wrote to memory of 2160	3832	cmd.exe	83
PID 3832 wrote to memory of 2160	3832	cmd.exe	83
PID 3832 wrote to memory of 2160	3832	cmd.exe	83
PID 3832 wrote to memory of 4940	3832	cmd.exe	85
PID 3832 wrote to memory of 4940	3832	cmd.exe	85
PID 3832 wrote to memory of 4940	3832	cmd.exe	85

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4800	attrib.exe
4284	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
"C:\Users\Admin\AppData\Local\Temp\9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\System64\1systemsmss.exe
  "C:\Windows\System64\1systemsmss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2160
  - - C:\Windows\SysWOW64\chcp.com
      Chcp 1251
      4⤵
      PID:4944
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /firewall
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4940
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /start
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\System64" +s +h
      4⤵
      Views/modifies file attributes
      PID:4800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\System64\*.*" +s +h
      4⤵
      Views/modifies file attributes
      PID:4284

C:\Windows\System64\svnhost.exe
C:\Windows\System64\svnhost.exe
1⤵
PID:1996
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe /tray
  2⤵
  PID:2620
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe
  2⤵
  PID:4264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\1systemsmss.exe

Filesize
272KB

MD5
71464415495f2be014e62935a45090c3

SHA1
e52e6fb3875582dbef0224ae6cce05394fe74365

SHA256
2b0e1eec39c5a701c8fa0ba70ee4f4cb306691891702e42cb58e9fc87e0a8b47

SHA512
a42a47e1ea56a55cb4b6ca9265bae1db4761624704f79521fa7e73c8ca895f0aa1e1f4ef7fcaafd57f6a0ea5db456349f4f5dbf497608fd4f151aea839853dd0

Download Submit
C:\Windows\System64\1systemsmss.exe

Filesize
328KB

MD5
6c02fd1f3c27d7fa51fc52150901f1a9

SHA1
a9a51e5b71cc7e2bdab4a93893e0e9c8b895aa6f

SHA256
f8803e67cf278e8ef5562465f79ba321f111149f8f58a451424efe45a440280a

SHA512
7ec294ac59577e49a180db847af65afb8293089932a30338ca8bce66a0764884f20590abcc7fb145008bf4f48fede69082f9e5633ec5a3a0493f32eb70910f81

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
386KB

MD5
ff25ca9b70ac68bba74a0bffd096e440

SHA1
f52f91e2d45f97ddd42285b068bdb8d32e8ae386

SHA256
c4bb4713411f9c33b9206dac6f46fe7c335d18796c9cda837a443a1f3d6e2656

SHA512
64e0be17cbd82f023628cd6f49dc6a82ea1b069dad273e856ee10d3a7823889bbdc230166e6dc51f982ca32b4c4d7854264aa6eab9df546604697abac1fc3ef7

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
262KB

MD5
7ffce0861646f7be5f882ecf76572ac5

SHA1
74636114930bde3e71b4e84116c9965a0442864e

SHA256
f37de2a46e8d133d2faf1f054d2628c21fd7121f97d599b975db0f5a328a3f28

SHA512
bc41f17d7ed2b6dcbc7e8ca072c8310bac6dbc2ecf343fefcf5ebe4d0281335f6f1717ebc56d020e7933106ad0366d6b9bc8005395a58a67273dbe6f67d7a55c

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
214KB

MD5
0c7cfa1df0edd0fa23f4d8d090809ac4

SHA1
275d582bcd1deba4716a6595ed505ca7045caa48

SHA256
2ff06214d91cebb51bb7a498c1d8126e4408f55d89f49c20c2822cc1d4f0cd7d

SHA512
dc9a75c6d3fa03e1cdc61d18ba8007520540a6e219cea5a8cc6406d5295151597889b8fff217d4891ee06d810b531bf6c53e363776b1086825e497da5dd418f3

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
273KB

MD5
7ef6d33c729ead9cc26ea97a648354f4

SHA1
5f7c3152942864691c784569f618c742ac99ca3f

SHA256
b58d5d85909e1643461e122e5a4aa81c55ae784b8d68e2fe443d60b31681d379

SHA512
50334e160d95f1c436cf0c7d21201678b50b4c9cf18d506127b764f6eeaf548ba9ad524947412960873a9eca486095546e21c31b9c4edba17c850a356e25bf26

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
237KB

MD5
093ba8b4bc077ac70e3e378cf0ee05c4

SHA1
8f3f9dbdde4183de150c8bb128b0bd83d2e2e9b9

SHA256
82ab27706f2aa84c3238e070420f8e731eb79a6b8d3027c8bce28ce8db9307ed

SHA512
59f10d48e0ad0d1fa33a5c4ad6310aead1a55929ea12a9d85f0586746f41df9fbe21a0b59f781addae79d96c250a21ef42c3dbe7e5ea47a57c4ec3f907cb0516

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
309KB

MD5
acd6232c20696a86c0b8c59c5fdbc341

SHA1
77395c4330006aa0bbc4eaf06251e82f3a81500b

SHA256
70c276139668158a0e443e1ffc65b304388b7befccefd969a617dc46b364674a

SHA512
44a690e503dbda1ad91f1f8d7b109a4ee89be26ac81223a225764407a8311b8998ffbe162f5a3e3a1c656e9aec358cbfc45903db6ed3f3d47ff4c7acc7c67414

Download Submit
C:\Windows\System64\vp8decoder.dll

Filesize
267KB

MD5
0c3ca2f2de827db092a9a4cd34da4488

SHA1
940bfb8800d101667d791ad6c14e1b761615828c

SHA256
252149ddb43f7b9b1502f92d4a01cc715d0c484788921837fd3909488a2cff6c

SHA512
b742a408c276b09349b6ac3e2178c3aa820323d29f46670850753003d2c5dbc8f8e7497191853f72aa96738758d8331712c14770276404373eae94570fdbb5f0

Download Submit
C:\Windows\System64\vp8encoder.dll

Filesize
269KB

MD5
d81b35eee6aaabdd7b3945aa3bba28b2

SHA1
7e241247a51e86149c500f53c586ff9d092ac3f0

SHA256
54d744cd56350bc5460aaf5b3e681596d21eeb6831966b71265f466d9cf76243

SHA512
20f3ffb6b02fc71c277c3cbed0fe1d58fe68e66be8df113c6773dd778a94667ffcfa0351c1cdbdcd38816db6a670d8885ffe0ac866dfbd82e6e58f92d7052c43

Download Submit
C:\Windows\Zont911\Regedit.reg

Filesize
11KB

MD5
fbd460137890250b2cf3203e7c705c15

SHA1
38184211e035726c833ea457a76ba98b7a344a06

SHA256
5e40d1a2a6e2cd884219cb6a1b150db97c474a5d97b96711e3f5aa24db99e651

SHA512
7ddeb322da09e12db3a9462fdd531164fd76fa3cc9326c7dfe161dffa7e44498681a0865e995f4d37dcaa10e4365284363c21e140090f59b861d700365b687c1

Download Submit
C:\Windows\Zont911\Tupe.bat

Filesize
357B

MD5
e5274839994aefad7d0268f3d9d18c31

SHA1
39edce7d681a25435c2c7607ba51ba45d3217e25

SHA256
dcc09369c3fa2c56fc03fa5982c7836abfe6972cf18e4bb26a9c3ce266ee5149

SHA512
81a97588d1fd81d0257189ed1d6351cb4fedf5c72d79750a611f51ed117232e3825f81bd5189079e656a7c164e76ad3ec56b8522db8ad5f7bb0e26fdcebeb386

Download Submit