1d872cfbdbcfdcbe4ac67935869aa0b917ecf04c23cf0cb84f7d143a8af201c0

Analysis

max time kernel
34s
max time network
97s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26/05/2023, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

System.ERROR.Log.23796c45b1921f58409e4992c6809aee.msi
Size

6.0MB
MD5

d2de6059c6167527bee666bea4db3ab6
SHA1

1f1e5cc3b8513540e2576e52806646e9455c368c
SHA256

1d872cfbdbcfdcbe4ac67935869aa0b917ecf04c23cf0cb84f7d143a8af201c0
SHA512

9f718baa56eb6e334cd1381c30888cef35197b3d85095cc4916d1a3fb3778251d6e803aa8192d1c5813be60be059c47256f3e0633a79d003d3efdec976bb2754
SSDEEP

3072:kF5GaVbfNNMFNjJfU7eyOp0q0fT8Am2FlwyT8KZf3Vi:kF5zfYjgOp0q0tT8qfc

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1276	msiexec.exe
4	1276	msiexec.exe
5	1260	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
788	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6c7eb2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c7eb2.msi	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1260	msiexec.exe
1260	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeSecurityPrivilege	1260	msiexec.exe
Token: SeCreateTokenPrivilege	1276	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1276	msiexec.exe
Token: SeLockMemoryPrivilege	1276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1276	msiexec.exe
Token: SeMachineAccountPrivilege	1276	msiexec.exe
Token: SeTcbPrivilege	1276	msiexec.exe
Token: SeSecurityPrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeLoadDriverPrivilege	1276	msiexec.exe
Token: SeSystemProfilePrivilege	1276	msiexec.exe
Token: SeSystemtimePrivilege	1276	msiexec.exe
Token: SeProfSingleProcessPrivilege	1276	msiexec.exe
Token: SeIncBasePriorityPrivilege	1276	msiexec.exe
Token: SeCreatePagefilePrivilege	1276	msiexec.exe
Token: SeCreatePermanentPrivilege	1276	msiexec.exe
Token: SeBackupPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeShutdownPrivilege	1276	msiexec.exe
Token: SeDebugPrivilege	1276	msiexec.exe
Token: SeAuditPrivilege	1276	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1276	msiexec.exe
Token: SeChangeNotifyPrivilege	1276	msiexec.exe
Token: SeRemoteShutdownPrivilege	1276	msiexec.exe
Token: SeUndockPrivilege	1276	msiexec.exe
Token: SeSyncAgentPrivilege	1276	msiexec.exe
Token: SeEnableDelegationPrivilege	1276	msiexec.exe
Token: SeManageVolumePrivilege	1276	msiexec.exe
Token: SeImpersonatePrivilege	1276	msiexec.exe
Token: SeCreateGlobalPrivilege	1276	msiexec.exe
Token: SeCreateTokenPrivilege	1276	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1276	msiexec.exe
Token: SeLockMemoryPrivilege	1276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1276	msiexec.exe
Token: SeMachineAccountPrivilege	1276	msiexec.exe
Token: SeTcbPrivilege	1276	msiexec.exe
Token: SeSecurityPrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeLoadDriverPrivilege	1276	msiexec.exe
Token: SeSystemProfilePrivilege	1276	msiexec.exe
Token: SeSystemtimePrivilege	1276	msiexec.exe
Token: SeProfSingleProcessPrivilege	1276	msiexec.exe
Token: SeIncBasePriorityPrivilege	1276	msiexec.exe
Token: SeCreatePagefilePrivilege	1276	msiexec.exe
Token: SeCreatePermanentPrivilege	1276	msiexec.exe
Token: SeBackupPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeShutdownPrivilege	1276	msiexec.exe
Token: SeDebugPrivilege	1276	msiexec.exe
Token: SeAuditPrivilege	1276	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1276	msiexec.exe
Token: SeChangeNotifyPrivilege	1276	msiexec.exe
Token: SeRemoteShutdownPrivilege	1276	msiexec.exe
Token: SeUndockPrivilege	1276	msiexec.exe
Token: SeSyncAgentPrivilege	1276	msiexec.exe
Token: SeEnableDelegationPrivilege	1276	msiexec.exe
Token: SeManageVolumePrivilege	1276	msiexec.exe
Token: SeImpersonatePrivilege	1276	msiexec.exe
Token: SeCreateGlobalPrivilege	1276	msiexec.exe
Token: SeCreateTokenPrivilege	1276	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1276	msiexec.exe
1276	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 788	1260	msiexec.exe	29
PID 1260 wrote to memory of 788	1260	msiexec.exe	29
PID 1260 wrote to memory of 788	1260	msiexec.exe	29
PID 1260 wrote to memory of 788	1260	msiexec.exe	29
PID 1260 wrote to memory of 788	1260	msiexec.exe	29

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\System.ERROR.Log.23796c45b1921f58409e4992c6809aee.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1276

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding B7D70E91E127BA99242915A5AD76C10E C
  2⤵
  - Loads dropped DLL
  PID:788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1544

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004AC" "00000000000003E0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ED90CF98D7FAD71C274722E4F54A256C

Filesize
959B

MD5
d5e98140c51869fc462c8975620faa78

SHA1
07e032e020b72c3f192f0628a2593a19a70f069e

SHA256
5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e

SHA512
9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d03fa39979c5c934feef08d29cb9ea9b

SHA1
59d8678ecbafb820bb52e994cbd81f4f44027ec5

SHA256
d2b5cb53ccc13bb8953bef973c0f1804161470ea85a79a9a80d8c58b6cddb552

SHA512
5aaaaf11ef862576b893bec6dbe5b34f73693c3cb7e95c42e6c11c58d774c990aa515e1b08468ea93cf2b923414997ef8e2310e4efdc5565420d94a3dcfe3fa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ED90CF98D7FAD71C274722E4F54A256C

Filesize
206B

MD5
4e10c19a72b754c6f1afbf4dcf212c9c

SHA1
b792184a3cfb804fcc1b4b1be929ee835002ae81

SHA256
5969007b27e4ded5cc829f72bce6306130a7dd09aa4a8cb56b48aeff5591381e

SHA512
f310f0848cf9dcad933f91885dfbc05ba05b91118f1a377b32fb198bffd65605d8edf199e9a4b59ffc07ed8d2876085775ffdf3cb44e638c69b95e359e2b25c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF01.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1F86.tmp

Filesize
77KB

MD5
fe633b7b6ae55f19b183a057c14dc0b1

SHA1
f9fc3828bf0f012d0c0593bf3024c6c383c20e7d

SHA256
863230887b76c224113eca33e0df6edce5e607e2f19255015611f70de46a675f

SHA512
e9f7676f4be6431fee31afe6d9408237194dc83e4a12e2798d17cafcb060c81e53c5d047b518feb9fb2e851862fd41daadaea73ce2a03fa7cd19add621f93ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1498.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFB0.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
\Users\Admin\AppData\Local\Temp\MSI1F86.tmp

Filesize
77KB

MD5
fe633b7b6ae55f19b183a057c14dc0b1

SHA1
f9fc3828bf0f012d0c0593bf3024c6c383c20e7d

SHA256
863230887b76c224113eca33e0df6edce5e607e2f19255015611f70de46a675f

SHA512
e9f7676f4be6431fee31afe6d9408237194dc83e4a12e2798d17cafcb060c81e53c5d047b518feb9fb2e851862fd41daadaea73ce2a03fa7cd19add621f93ec4

Download Submit