510fc8c2112e2bc544fb29a72191eabcc68d3a5a7468d35d7694493bc8593a79

Resubmissions

20-02-2024 16:15

240220-tqc6nabg62 6

20-02-2024 16:14

240220-tpr87abg53 1

Analysis

max time kernel
24s
max time network
12s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20-02-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rat.exe
Size

13.2MB
MD5

9882a328c8414274555845fa6b542d1e
SHA1

ab4a97610b127d68c45311deabfbcd8aa7066f4b
SHA256

510fc8c2112e2bc544fb29a72191eabcc68d3a5a7468d35d7694493bc8593a79
SHA512

c08d1aa7e6e6215a0cee2793592b65668066c8c984b26675d2b8c09bc7fee21411cb3c0a905eaee7a48e7a47535fa777de21eeb07c78bca7bf3d7bb17192acf2
SSDEEP

196608:oRjgvJ2flpQcIIS/Rj7BWl+aV8t8z72BxBwBgO42BE6+2DQlMp1sHW5ZDmCCM0Xr:IgRIlptVYmfr7yBG/4pXMHsHW76CsGE

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

VC_redist.x86.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{46c3b171-c15c-4137-8e1d-67eeb2985b44} = "\"C:\\ProgramData\\Package Cache\\{46c3b171-c15c-4137-8e1d-67eeb2985b44}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

2 1900 msiexec.exe

flow	pid	process
2	1900	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in System32 directory 49 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 23 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\SystemTemp\~DF47FB66ECA013BC6B.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FF0.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF79B63A6C0B1BED5A.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{286DC39B-5FB7-4AFF-9DD4-22DB47664CD7}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA0A56E4E16020DC7.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3B06562CEF2C9BD5.TMP	msiexec.exe
File created	C:\Windows\Installer\e577a04.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5C23CA88087F00D3.TMP	msiexec.exe
File created	C:\Windows\Installer\e577a05.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2DC8AEE95B768DDC.TMP	msiexec.exe
File created	C:\Windows\Installer\e5779f3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8139.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BB8.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF840F56AA1E714068.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e577a05.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5779f3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CD2.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9C19C103-7DB1-44D1-A039-2C076A633A38}	msiexec.exe
File created	C:\Windows\Installer\e577a1a.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3B810D083945CC45.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

Processes:

rat.exeVC_redist.x86.exe

pid process

3296 rat.exe
4832 VC_redist.x86.exe
Loads dropped DLL 2 IoCs

Processes:

rat.exeVC_redist.x86.exe

pid process

3296 rat.exe
2260 VC_redist.x86.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3296	rat.exe
4832	VC_redist.x86.exe

pid	process
3296	rat.exe
2260	VC_redist.x86.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f11f7815895575580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f11f78150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f11f7815000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df11f7815000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f11f781500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeVC_redist.x86.exeVC_redist.x86.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1\B93CD6827BF5FFA4D94D22BD7466C47D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.38.33135"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\ = "{46c3b171-c15c-4137-8e1d-67eeb2985b44}"	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\PackageCode = "253FEC3847DED1B40B7E69DC4FADC1D2"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{46c3b171-c15c-4137-8e1d-67eeb2985b44}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\ = "{9C19C103-7DB1-44D1-A039-2C076A633A38}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList\PackageName = "vc_runtimeAdditional_x86.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{286DC39B-5FB7-4AFF-9DD4-22DB47664CD7}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\InstanceType = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{46c3b171-c15c-4137-8e1d-67eeb2985b44}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X86,X86,14.30,BUNDLE\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{9C19C103-7DB1-44D1-A039-2C076A633A38}v14.38.33135\\packages\\vcRuntimeAdditional_x86\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.38.33135"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\PackageCode = "5DCA9E92B1C69C843A615368658FB324"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.38.33135"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\Dependents\{46c3b171-c15c-4137-8e1d-67eeb2985b44}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\301C91C91BD71D440A93C270A636A383	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.38.33135"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B93CD6827BF5FFA4D94D22BD7466C47D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\Version = "14.38.33135.0"	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\ProductName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.38.33135"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\301C91C91BD71D440A93C270A636A383\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{286DC39B-5FB7-4AFF-9DD4-22DB47664CD7}v14.38.33135\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\Dependents	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.38.33135"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D	msiexec.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msiexec.exe

pid process

1900 msiexec.exe
1900 msiexec.exe
1900 msiexec.exe
1900 msiexec.exe
1900 msiexec.exe
1900 msiexec.exe
1900 msiexec.exe
1900 msiexec.exe

pid	process
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeVC_redist.x86.exemsiexec.exesrtasks.exe

description	pid	process
Token: SeBackupPrivilege	4396	vssvc.exe
Token: SeRestorePrivilege	4396	vssvc.exe
Token: SeAuditPrivilege	4396	vssvc.exe
Token: SeShutdownPrivilege	4832	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	4832	VC_redist.x86.exe
Token: SeSecurityPrivilege	1900	msiexec.exe
Token: SeCreateTokenPrivilege	4832	VC_redist.x86.exe
Token: SeAssignPrimaryTokenPrivilege	4832	VC_redist.x86.exe
Token: SeLockMemoryPrivilege	4832	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	4832	VC_redist.x86.exe
Token: SeMachineAccountPrivilege	4832	VC_redist.x86.exe
Token: SeTcbPrivilege	4832	VC_redist.x86.exe
Token: SeSecurityPrivilege	4832	VC_redist.x86.exe
Token: SeTakeOwnershipPrivilege	4832	VC_redist.x86.exe
Token: SeLoadDriverPrivilege	4832	VC_redist.x86.exe
Token: SeSystemProfilePrivilege	4832	VC_redist.x86.exe
Token: SeSystemtimePrivilege	4832	VC_redist.x86.exe
Token: SeProfSingleProcessPrivilege	4832	VC_redist.x86.exe
Token: SeIncBasePriorityPrivilege	4832	VC_redist.x86.exe
Token: SeCreatePagefilePrivilege	4832	VC_redist.x86.exe
Token: SeCreatePermanentPrivilege	4832	VC_redist.x86.exe
Token: SeBackupPrivilege	4832	VC_redist.x86.exe
Token: SeRestorePrivilege	4832	VC_redist.x86.exe
Token: SeShutdownPrivilege	4832	VC_redist.x86.exe
Token: SeDebugPrivilege	4832	VC_redist.x86.exe
Token: SeAuditPrivilege	4832	VC_redist.x86.exe
Token: SeSystemEnvironmentPrivilege	4832	VC_redist.x86.exe
Token: SeChangeNotifyPrivilege	4832	VC_redist.x86.exe
Token: SeRemoteShutdownPrivilege	4832	VC_redist.x86.exe
Token: SeUndockPrivilege	4832	VC_redist.x86.exe
Token: SeSyncAgentPrivilege	4832	VC_redist.x86.exe
Token: SeEnableDelegationPrivilege	4832	VC_redist.x86.exe
Token: SeManageVolumePrivilege	4832	VC_redist.x86.exe
Token: SeImpersonatePrivilege	4832	VC_redist.x86.exe
Token: SeCreateGlobalPrivilege	4832	VC_redist.x86.exe
Token: SeRestorePrivilege	1900	msiexec.exe
Token: SeTakeOwnershipPrivilege	1900	msiexec.exe
Token: SeBackupPrivilege	2348	srtasks.exe
Token: SeRestorePrivilege	2348	srtasks.exe
Token: SeSecurityPrivilege	2348	srtasks.exe
Token: SeTakeOwnershipPrivilege	2348	srtasks.exe
Token: SeRestorePrivilege	1900	msiexec.exe
Token: SeTakeOwnershipPrivilege	1900	msiexec.exe
Token: SeBackupPrivilege	2348	srtasks.exe
Token: SeRestorePrivilege	2348	srtasks.exe
Token: SeSecurityPrivilege	2348	srtasks.exe
Token: SeTakeOwnershipPrivilege	2348	srtasks.exe
Token: SeRestorePrivilege	1900	msiexec.exe
Token: SeTakeOwnershipPrivilege	1900	msiexec.exe
Token: SeRestorePrivilege	1900	msiexec.exe
Token: SeTakeOwnershipPrivilege	1900	msiexec.exe
Token: SeRestorePrivilege	1900	msiexec.exe
Token: SeTakeOwnershipPrivilege	1900	msiexec.exe
Token: SeRestorePrivilege	1900	msiexec.exe
Token: SeTakeOwnershipPrivilege	1900	msiexec.exe
Token: SeRestorePrivilege	1900	msiexec.exe
Token: SeTakeOwnershipPrivilege	1900	msiexec.exe
Token: SeRestorePrivilege	1900	msiexec.exe
Token: SeTakeOwnershipPrivilege	1900	msiexec.exe
Token: SeRestorePrivilege	1900	msiexec.exe
Token: SeTakeOwnershipPrivilege	1900	msiexec.exe
Token: SeRestorePrivilege	1900	msiexec.exe
Token: SeTakeOwnershipPrivilege	1900	msiexec.exe
Token: SeRestorePrivilege	1900	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rat.exe

pid process

3296 rat.exe

pid	process
3296	rat.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rat.exerat.exeVC_redist.x86.exeVC_redist.x86.exeVC_redist.x86.exe

description	pid	process	target process
PID 2636 wrote to memory of 3296	2636	rat.exe	rat.exe
PID 2636 wrote to memory of 3296	2636	rat.exe	rat.exe
PID 2636 wrote to memory of 3296	2636	rat.exe	rat.exe
PID 3296 wrote to memory of 4832	3296	rat.exe	VC_redist.x86.exe
PID 3296 wrote to memory of 4832	3296	rat.exe	VC_redist.x86.exe
PID 3296 wrote to memory of 4832	3296	rat.exe	VC_redist.x86.exe
PID 4832 wrote to memory of 3528	4832	VC_redist.x86.exe	VC_redist.x86.exe
PID 4832 wrote to memory of 3528	4832	VC_redist.x86.exe	VC_redist.x86.exe
PID 4832 wrote to memory of 3528	4832	VC_redist.x86.exe	VC_redist.x86.exe
PID 3528 wrote to memory of 2260	3528	VC_redist.x86.exe	VC_redist.x86.exe
PID 3528 wrote to memory of 2260	3528	VC_redist.x86.exe	VC_redist.x86.exe
PID 3528 wrote to memory of 2260	3528	VC_redist.x86.exe	VC_redist.x86.exe
PID 2260 wrote to memory of 872	2260	VC_redist.x86.exe	VC_redist.x86.exe
PID 2260 wrote to memory of 872	2260	VC_redist.x86.exe	VC_redist.x86.exe
PID 2260 wrote to memory of 872	2260	VC_redist.x86.exe	VC_redist.x86.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\rat.exe
"C:\Users\Admin\AppData\Local\Temp\rat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\Temp\{F5758F0F-67CC-4B17-A1CB-3082EC8736A5}\.cr\rat.exe
"C:\Windows\Temp\{F5758F0F-67CC-4B17-A1CB-3082EC8736A5}\.cr\rat.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\rat.exe" -burn.filehandle.attached=584 -burn.filehandle.self=724
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\Temp\{A5767569-C05E-4697-9299-90AF042AA691}\.be\VC_redist.x86.exe
"C:\Windows\Temp\{A5767569-C05E-4697-9299-90AF042AA691}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{C584F2DD-73B5-456C-9D30-EE9C71AA1475} {FECB8B97-59E0-4CA3-81E5-DAF64F172C39} 3296
3⤵
- Adds Run key to start application
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={46c3b171-c15c-4137-8e1d-67eeb2985b44} -burn.filehandle.self=1068 -burn.embedded BurnPipe.{5CA3F93F-A275-4F65-8639-365B93C534B0} {CA23DB43-34BA-4D62-861F-E80CE3D31536} 4832
4⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={46c3b171-c15c-4137-8e1d-67eeb2985b44} -burn.filehandle.self=1068 -burn.embedded BurnPipe.{5CA3F93F-A275-4F65-8639-365B93C534B0} {CA23DB43-34BA-4D62-861F-E80CE3D31536} 4832
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{F6C6FCF4-EECE-4539-8421-F98F86DD385A} {AD9BDC4B-8560-4487-92B5-20BC16FEEE89} 2260
6⤵
- Modifies registry class
PID:872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5779f8.rbs
Filesize
16KB

MD5
bed48e71a9bfdf0411da9ee0af1894aa

SHA1
58847ca160d8612d009282d4e28378d5c37a302c

SHA256
270948bbd736d3f53f7d0ea4a0f872fd03b465a54a9d1a64d8a849956e34bf14

SHA512
4def1469c2cd5f0fe203296614acda5c6de6a7c8a8d6202dfb8e04862bd14ac5370302ad270ca88ffd5bae23e1c3ea212201fc5288c56edc0065e103dab114ad

Download Submit
C:\Config.Msi\e5779fd.rbs
Filesize
18KB

MD5
c912a5c58f8ca1cdeffd6215d2dd7b7a

SHA1
9996251363b0a13d161892f581a4a100050aec09

SHA256
081fa616d3f8cb4fa30dec1eef73102452c55412b36af86b6d18a1a90ed4ada3

SHA512
148b4694eb1abc52276bc9361283e917d55cd2dcc9df8a9a06a83b1296e103ac8c26238635f0eef5faccc1053841993cd0b8eddcf13c3466ae13fd7d66b43446

Download Submit
C:\Config.Msi\e577a0a.rbs
Filesize
20KB

MD5
ca606fc01e1b8568b6220db85ec60cb3

SHA1
ad4ad714368c89a919fcbb97b93517dc2b0065a5

SHA256
7f57fb5cfe422909d01ad1af1e937c55db3e797b4e41c9dd05086fdd03873547

SHA512
213e5be20d9aff6f6faa20fa1b1d181dee3617e1d4c2cde21b7b7715d08f035ded7977fd626ac32d4f8723cd0d6471a0efd1c64da11299a7176aedd8ac94520e

Download Submit
C:\Config.Msi\e577a19.rbs
Filesize
19KB

MD5
50c9ee1c103aefc67b3369eb1cadee56

SHA1
4e5478ac9b9cfcacfc7de2a0b33e0e680d099e11

SHA256
7e598c020b9c9432e48fdde106a92f5426071abd0bf993483bd2e91c507427a1

SHA512
599100dfde5cc49e674aab1a2b55ded5241a564d02fdcd2cb211279da374297952616346dd94fe47a0df31a67231b88cfdb450c24d9eef7424d06c8244bd845b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240220161533_000_vcRuntimeMinimum_x86.log
Filesize
2KB

MD5
43eee3a048fa3327ff3b80586d9ace51

SHA1
d0e8a05a7eba2adc8baf4d83b0114b428604f432

SHA256
9c445273f86246d13e05982e323b5c11772e8b069aae27a80b9ce3ccd293d11f

SHA512
1de6b3af8e080f2a998303d67112e742fe8ca98538a535dc7b23eac77fcc9f32b275dad8c6abc9f68f42609405679d9ea6b77c4a870c8a82d74e166c944a8891

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240220161533_001_vcRuntimeAdditional_x86.log
Filesize
2KB

MD5
aa1d25863f4f9d65c71b3080ccdcd57b

SHA1
afd1294f260b59b8df29da74d149b5b50643903d

SHA256
b16cdece9f70623c49b4440369c7ebcc46b32b5faae72945e19104ee7fb4c93f

SHA512
094cda93832129079880ba2a8d2f0f4df6f241abf457b7976cab6d6859636a3671c7d57aa6148ae2e234477801b57d5889c1886e9fefe2dc06e1676cdfcc9a2f

Download Submit
C:\Windows\Temp\{A5767569-C05E-4697-9299-90AF042AA691}\.ba\logo.png
Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{A5767569-C05E-4697-9299-90AF042AA691}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{A5767569-C05E-4697-9299-90AF042AA691}\cab54A5CABBE7274D8A22EB58060AAB7623
Filesize
814KB

MD5
a57efc0afffdf914cbc76bb882cad37e

SHA1
732dbef27c49c27d9f1c00eba177eabc21650fb8

SHA256
c384da7cc6ead2ce054a67fded26d7e4cff2f981a83c64de62e53864665e5f45

SHA512
ad2cfc0fd199fe2726fd18c0a5972185e8331fe49807ca6340212901dd61d30853e2c72015ee9bac0425e287ef488190a245676173194fafbf8f6fc7fbf9baba

Download Submit
C:\Windows\Temp\{A5767569-C05E-4697-9299-90AF042AA691}\cabB3E1576D1FEFBB979E13B1A5379E0B16
Filesize
4.9MB

MD5
4a17e4da145fa1ea92a52266221ad628

SHA1
f6304de9d73609f6b9717d6a4d44efd7ab7ffe9e

SHA256
9544abbd46b39bec491cf63076fb109306e519f303df9cd583a28956172bf038

SHA512
de9a6a1391070a9470f78208ff74120cffd2a1e2580af4add87914ba6dd27e07b092e66caa847726e05eb5fae0c1252681de37f34b560d4d95f3b76f3599e16c

Download Submit
C:\Windows\Temp\{A5767569-C05E-4697-9299-90AF042AA691}\vcRuntimeAdditional_x86
Filesize
180KB

MD5
a37983d3fca236d6ae2d22ab0fa9f1d4

SHA1
82f77032813aeddf321d681da4e1aa50786258dd

SHA256
a7f13351ce5b41fcf6c2ed95f223f5e2aab5411bf8499a772f69ad8ffb87f96b

SHA512
619467e6d4aa6bc8f1cc02daf52330e28c313d774a1d0b0bb96d40a2ed2dc3697cee738463faed040e1bca407c3471ae1bc8dd91472682b25c579caacdbf7374

Download Submit
C:\Windows\Temp\{A5767569-C05E-4697-9299-90AF042AA691}\vcRuntimeMinimum_x86
Filesize
180KB

MD5
3ca6b74aefe34587f479055f5915e136

SHA1
61771e0a8ccabac8783a22f67adcbce612f11704

SHA256
a6f3a8e4e2162d8df176418e9a238becb645b2db31d8073bfc4f4cdb7fb1aa22

SHA512
3949cb3fdad3e8d5e9c649141a72783e0b403d3e835433d4d456654bcdad1290258f6d023ce127740f9c82459d337b9f8731c799efcf99775955d38cf3fef750

Download Submit
C:\Windows\Temp\{F5758F0F-67CC-4B17-A1CB-3082EC8736A5}\.cr\rat.exe
Filesize
634KB

MD5
7bd0b2d204d75012d3a9a9ce107c379e

SHA1
41edd6321965d48e11ecded3852eb32e3c13848d

SHA256
d4c6f5c74bbb45c4f33d9cb7ddce47226ea0a5ab90b8ff3f420b63a55c3f6dd2

SHA512
d85ac030ebb3ba4412e69b5693406fe87e46696ca2a926ef75b6f6438e16b0c7ed1342363098530cdceb4db8e50614f33f972f7995e4222313fcef036887d0f0

Download Submit