0cc32738dd2dbf5d0c128a9029783b6daa691c999683feae8b9caa4c0805eaad

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Br_i421i2-2481-125_754864.msi
Size

9.3MB
MD5

dc2ff54f9664f90f09004b367fbdca10
SHA1

e0dd52a75514bae7e68396e953eab1a62e567aa5
SHA256

0cc32738dd2dbf5d0c128a9029783b6daa691c999683feae8b9caa4c0805eaad
SHA512

3032476f1e6511371322c79fff6a45ccb5cc3c79a01db470f1c3c207e3557272b7f1b306218af46bc96cae243da843dae5f1006dff5e225e0d1deec3c552fcf5
SSDEEP

196608:r/i0OAYet5vLXFZf6eB1No6Zd4vvrm89UcP7fbUDd57U8:Ti0OAY+N5ZfHB16RHrm8VT6Q

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	352	powershell.exe
5	352	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI3D7F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F35.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f763ba9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C16.tmp	msiexec.exe
File created	C:\Windows\Installer\f763bac.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI407F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f763ba9.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f763bac.ipi	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
1916	MsiExec.exe
1916	MsiExec.exe
1916	MsiExec.exe
1916	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
352	powershell.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2192	msiexec.exe
2192	msiexec.exe
352	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeSecurityPrivilege	2192	msiexec.exe
Token: SeCreateTokenPrivilege	2380	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2380	msiexec.exe
Token: SeLockMemoryPrivilege	2380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2380	msiexec.exe
Token: SeMachineAccountPrivilege	2380	msiexec.exe
Token: SeTcbPrivilege	2380	msiexec.exe
Token: SeSecurityPrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeLoadDriverPrivilege	2380	msiexec.exe
Token: SeSystemProfilePrivilege	2380	msiexec.exe
Token: SeSystemtimePrivilege	2380	msiexec.exe
Token: SeProfSingleProcessPrivilege	2380	msiexec.exe
Token: SeIncBasePriorityPrivilege	2380	msiexec.exe
Token: SeCreatePagefilePrivilege	2380	msiexec.exe
Token: SeCreatePermanentPrivilege	2380	msiexec.exe
Token: SeBackupPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeShutdownPrivilege	2380	msiexec.exe
Token: SeDebugPrivilege	2380	msiexec.exe
Token: SeAuditPrivilege	2380	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2380	msiexec.exe
Token: SeChangeNotifyPrivilege	2380	msiexec.exe
Token: SeRemoteShutdownPrivilege	2380	msiexec.exe
Token: SeUndockPrivilege	2380	msiexec.exe
Token: SeSyncAgentPrivilege	2380	msiexec.exe
Token: SeEnableDelegationPrivilege	2380	msiexec.exe
Token: SeManageVolumePrivilege	2380	msiexec.exe
Token: SeImpersonatePrivilege	2380	msiexec.exe
Token: SeCreateGlobalPrivilege	2380	msiexec.exe
Token: SeBackupPrivilege	1152	vssvc.exe
Token: SeRestorePrivilege	1152	vssvc.exe
Token: SeAuditPrivilege	1152	vssvc.exe
Token: SeBackupPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2696	DrvInst.exe
Token: SeRestorePrivilege	2696	DrvInst.exe
Token: SeRestorePrivilege	2696	DrvInst.exe
Token: SeRestorePrivilege	2696	DrvInst.exe
Token: SeRestorePrivilege	2696	DrvInst.exe
Token: SeRestorePrivilege	2696	DrvInst.exe
Token: SeRestorePrivilege	2696	DrvInst.exe
Token: SeLoadDriverPrivilege	2696	DrvInst.exe
Token: SeLoadDriverPrivilege	2696	DrvInst.exe
Token: SeLoadDriverPrivilege	2696	DrvInst.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeDebugPrivilege	352	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2380	msiexec.exe
2380	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 1916	2192	msiexec.exe	32
PID 2192 wrote to memory of 1916	2192	msiexec.exe	32
PID 2192 wrote to memory of 1916	2192	msiexec.exe	32
PID 2192 wrote to memory of 1916	2192	msiexec.exe	32
PID 2192 wrote to memory of 1916	2192	msiexec.exe	32
PID 2192 wrote to memory of 1916	2192	msiexec.exe	32
PID 2192 wrote to memory of 1916	2192	msiexec.exe	32
PID 1916 wrote to memory of 352	1916	MsiExec.exe	33
PID 1916 wrote to memory of 352	1916	MsiExec.exe	33
PID 1916 wrote to memory of 352	1916	MsiExec.exe	33
PID 1916 wrote to memory of 352	1916	MsiExec.exe	33

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Br_i421i2-2481-125_754864.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2380

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24A0DCB6F3D0345401BAB1D063A78DCE
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss41F4.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi41F0.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr41F1.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr41F2.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002D0" "00000000000005A8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f763bad.rbs

Filesize
655KB

MD5
e3a52347b78859863d98de4bd9bc6b8b

SHA1
c7b83fb95005dc468e6f9b9d38631161103eb0f4

SHA256
a37e94adf0e7049df92da9ab14b241a8d762c8165035203f6c31736d6fda4709

SHA512
b6100d9c50b00fb9dc19496f6921210c05a11287ed9666f0d5d0fddf8dfad76266ef60c809a147d629b4757c4c9c0387644fe12b9b8b0e8ceeba0814956451f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4C2F.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C51.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss41F4.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr41F1.ps1

Filesize
1KB

MD5
a5df3bcd6eb76f639b5feb3e8b68b3db

SHA1
f798930d1803b8768244f7acad963e6620ecae7f

SHA256
41d352c568b73b9edbab8736ee387d3efe15f2693abb58ffc13361706e8abc64

SHA512
58567b3663c2978c34da805cbf847a9ca20299baa999411a3317fd0de475f8a8d0a6c4e08070b249b46234a46c6634918aa67208319990ea3fd0b6abacad2f9f

Download Submit
C:\Windows\Installer\MSI3C16.tmp

Filesize
588KB

MD5
b7a6a99cbe6e762c0a61a8621ad41706

SHA1
92f45dd3ed3aaeaac8b488a84e160292ff86281e

SHA256
39fd8d36f8e5d915ad571ea429db3c3de6e9c160dbea7c3e137c9ba4b7fd301d

SHA512
a17e4512d906599b7f004ebb2f19ee2566ee93c2c18114ac05b0a0115a8c481592788f6b97da008795d5c31fb8d819ac82a5097b1792248319139c3face45642

Download Submit
\Windows\Installer\MSI407F.tmp

Filesize
649KB

MD5
6ea44a4959ff6754793eabf80eb134d6

SHA1
fac049850ca944ec17cda0c20dfbc3a30f348611

SHA256
7a23e492658e6d38873f3ad82f41ec1fa45102da59fa8d87595d85dafca6fa98

SHA512
e620835985a8ef03a55af210d156f9dfa6313d4c36131ea17fdad9b6acab37214041535efe99b7a33355ce8d5ff88e0c1ed10719726f4a23b51650cf7b15ae13

Download Submit