Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2024-10-04...uk.exe

windows7-x64

6

2024-10-04...uk.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe

  • Size

    1.6MB

  • MD5

    35a39b5dab654322931ab6920106903e

  • SHA1

    d1486d4e9972a1e18322ae679c56e004ffd777ff

  • SHA256

    bb1b0ea17894b330457b93afc86b936ebc5be9f51fae6b6f128591a627db120c

  • SHA512

    c3523a8cbb9a8cf3233e05a13337686086f2c32c8aae88869060af0013cca0623b25cb5d29977afad62036275efd90da86361787c390d7ab25cfe6c7b473e60a

  • SSDEEP

    24576:TNbqRetBjNKieTnCPXybrXMfq4K6ApZpiZxKK6oanWowemBJo56K:ZbvXKikCPC4q4K7pZ8xKDwe56

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 24 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe"
    1⤵
    • Enumerates connected drives
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
      2⤵
      • Enumerates connected drives
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
        "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
        3⤵
        • Enumerates connected drives
        • Modifies Control Panel
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
          "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
          4⤵
          • Enumerates connected drives
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
            "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
            5⤵
            • Enumerates connected drives
            • Modifies Control Panel
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3060
            • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
              "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
              6⤵
              • Enumerates connected drives
              • Modifies Control Panel
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:300
              • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                7⤵
                • Enumerates connected drives
                • Modifies Control Panel
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:2304
                • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                  "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                  8⤵
                  • Enumerates connected drives
                  • Modifies Control Panel
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:884
                  • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                    "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                    9⤵
                    • Enumerates connected drives
                    • Modifies Control Panel
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:2896
                    • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                      "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                      10⤵
                      • Enumerates connected drives
                      • Modifies Control Panel
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:3044
                      • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                        "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                        11⤵
                        • Enumerates connected drives
                        • Modifies Control Panel
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:1352
                        • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                          "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                          12⤵
                          • Enumerates connected drives
                          • Modifies Control Panel
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          • Suspicious use of WriteProcessMemory
                          PID:1080
                          • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                            "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                            13⤵
                            • Enumerates connected drives
                            • Modifies Control Panel
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of WriteProcessMemory
                            PID:2280
                            • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                              "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                              14⤵
                              • Enumerates connected drives
                              • Modifies Control Panel
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:568
                              • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                15⤵
                                • Enumerates connected drives
                                • Modifies Control Panel
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                • Suspicious use of WriteProcessMemory
                                PID:2012
                                • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                  "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                  16⤵
                                  • Enumerates connected drives
                                  • Modifies Control Panel
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  • Suspicious use of WriteProcessMemory
                                  PID:2704
                                  • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                    "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                    17⤵
                                    • Enumerates connected drives
                                    • Modifies Control Panel
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:2716
                                    • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                      "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                      18⤵
                                      • Enumerates connected drives
                                      • Modifies Control Panel
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SendNotifyMessage
                                      • Suspicious use of WriteProcessMemory
                                      PID:2748
                                      • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                        "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                        19⤵
                                        • Enumerates connected drives
                                        • Modifies Control Panel
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        • Suspicious use of WriteProcessMemory
                                        PID:2636
                                        • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                          "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                          20⤵
                                          • Enumerates connected drives
                                          • Modifies Control Panel
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          • Suspicious use of WriteProcessMemory
                                          PID:1992
                                          • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                            "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                            21⤵
                                            • Enumerates connected drives
                                            • Modifies Control Panel
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            • Suspicious use of WriteProcessMemory
                                            PID:1320
                                            • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                              "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                              22⤵
                                              • Enumerates connected drives
                                              • Modifies Control Panel
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              • Suspicious use of WriteProcessMemory
                                              PID:1396
                                              • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                                "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                                23⤵
                                                • Enumerates connected drives
                                                • Modifies Control Panel
                                                PID:1756
                                                • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                                  24⤵
                                                  • Enumerates connected drives
                                                  • Modifies Control Panel
                                                  PID:916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json
    Filesize

    1KB

    MD5

    172e51dc68a722b2e59207c3eeaddc1c

    SHA1

    653ae9fd7da29fbb131e1368c248964cd6e12f27

    SHA256

    7c85729cd86ecd4531a16d7700c1227390c18f83ea3592baa129bde62ed0e422

    SHA512

    2ec3f1416aa2f6a00bf69d8f1357ea1a074a37c7338a3a8020467954befefb2f4721939272c3d48f4d5d52e95c59d0f38988a2d2486ee88b8430793d2a8ce51a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json
    Filesize

    1KB

    MD5

    0da9b71ac083d74e774929c76b4783c2

    SHA1

    befc0228951e397d7537e27445dc16b389e940e8

    SHA256

    dbc627d8a65adb82b4a4725d6b6a2da45794c2f325b1fba9fb5997392cfdd9f2

    SHA512

    21cc0414519f091c69941d29c923ba8beb403992e1afddb709ea1a272c8645e21b1ed38bbb45b52f77ac4f0759d2c30cc6bad9d0c36b242f7388ea671dc76c22

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json
    Filesize

    1KB

    MD5

    7262282655878d569527c961dd354fdc

    SHA1

    8aa3fc94271f747ef31258852314b135c54b30a5

    SHA256

    c33a2b097cebcd7c56a689bcf9b189cbe6767f7e4cb867b0e99318504003520d

    SHA512

    3aa0eb26e0de6c85e532414270ef163d1bca5aa9b025c5557425365ad9905476b6dce26fa0e07bc2a76e05a6c907d2d159c2dc432efb6ad854a9d9d734bf0349

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json
    Filesize

    1KB

    MD5

    03b87f2ab3cfbc9ba1f7efbdbf8200f1

    SHA1

    e022cc760ab7198aaf4a3c5ccc4a7158aa7a3eee

    SHA256

    1e6402648dda556f095b34bab10a14effa9141090c66b846ba3ff57d659079ab

    SHA512

    e981f40eee7905355352eb08bec02d24e719e1f1b54e73ec52278a681febe7598d9706be43a45f5291ca7908c4789eb6fdbdc4cf9b471695ff5604d4cd06024f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json
    Filesize

    1KB

    MD5

    a9b007561235a661363df025b39efdf9

    SHA1

    bf2e9cb45989f9104e7f6e5d6941748e623dd793

    SHA256

    86f63f33d0271bb31572fab2c2f8c95de5e9f5d3846b826c88ed051e303ac269

    SHA512

    3be9390771390ca65b4816a39120ecfa22e329ccf606507f9e06b96ffb63787dad2d0cf49c0400dd8f339a7cf9095e67a8a5df287764eaec9ac85912ccf61d8c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json
    Filesize

    1KB

    MD5

    403ddd5da62142748c50c927421babc8

    SHA1

    01e107189728ab978593c9a0032285568c3233ca

    SHA256

    88cbd3f59f63958fd378dd015496110f984e259bc75a8f7d7209e59f95fbcf4a

    SHA512

    a92f876084a9746f3d183ce385a057533100fc74beb63c0fe7df61687de2a3c9f06e669ef64df02a67a469be742b645b541863e8a096f7da0d38d04e2b4e3741

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json
    Filesize

    1KB

    MD5

    7e7f069a575f825d66747ca983fd00ce

    SHA1

    9edc702c3edd60f7debbbfb3b4341f36a8dd048a

    SHA256

    349315fac54d53e5532602f9dec295538bacc3604a9a6d1941f5a49d3d91e2e2

    SHA512

    1e110d602c637546684e238650036d1a7d166ea75770baa601cf6ae17e5a9193ecfc9f76da92d39b6f75f64340086fb93cfd4b306544b8e783f1a8cb5ec9437f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json
    Filesize

    1KB

    MD5

    603697862a77286da33b4c80c244d0a0

    SHA1

    7c943442d807b31b69757c60395b44c81c92d320

    SHA256

    fcc3fb4ef674cfb1c73e56ba08b8ecb6abe9f9ad2203b7ffd076a43f663abcf5

    SHA512

    1d5e21a09cefdb1f2658950071569dfb86b2db9b47942fa72e5a103429cdf02d3400f1cbe7e34b491b1c0905b14ac0c7cfcea29949634f78122537d7dfeb523a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json
    Filesize

    1KB

    MD5

    29e4480f5e9412a1eaaf195c81506749

    SHA1

    eac44029576c72b9f0447bd29af74bb7447bdbc7

    SHA256

    8eab47fe35932284c04ab9e5e711f4ba4635a3e7f605bbf0a867e04cc1b4d8b6

    SHA512

    e36b59e9ceaf96a268ee434542c10788bb50a3ad0ab7bf3cf122891548e824b67ad40ac910221d94130d0c9744484bcd23d08dd146ddfa3c11a44047d52be632

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json
    Filesize

    1KB

    MD5

    5993183e1db22ea78c04c461426e0009

    SHA1

    28716abbe4e616c080dee18011d649f387755674

    SHA256

    4d544f034a05f7e47897ab27fa1d0a34c1b8f8ca54e25bdeed9a5a261d1974ca

    SHA512

    387db04600fe5fde1a9efc298eab2696953b2ee6943a620f3c4464af5573d688876115f8387ec69fd08d7a8293e52c557b5dcb1acfc4efa893e4b086a09e5d53

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json
    Filesize

    1KB

    MD5

    8e245dca9ba3c7c103b1e17a2e3375fe

    SHA1

    c0aac721c323312252163936cc042c163ab78130

    SHA256

    868fd921b824952423ef09e8ce70c682276f15ba6d4d2f51863367a8cf553659

    SHA512

    42a901f384c2972ab387358d37fe397952acebad5edd0df14fa1e62440f071f59e2aca82376502f47ac89d2ae3b1e594e386de3a3d478179c1fcfdfff584bee9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json
    Filesize

    1KB

    MD5

    2ed804276c24e244a345dae9625ac735

    SHA1

    9b822f23ee49cf59c351f876cb054bb23e026c18

    SHA256

    29a41452f86a6cda8d7696b5eff52730dec6ec4e551c2c430e7b564311a4ab16

    SHA512

    c3367bd1cc7ddb587523523b0478deb03c0cb15fb5c82ccaf7a136c05af02d9d545f35ef2c1c4c5e4e0d137183401bae22fa159deda57eb91468f3e8ad2cf1b7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ventural\Venmon.ini
    Filesize

    128B

    MD5

    f0891ecaf11c581af23b66b792a04572

    SHA1

    7d87c505ee620af0bbfd91c4c7ac2e69cfdb74d0

    SHA256

    e08d920430e243c941f7a38960b772ffb1bdd49443cee292789ac2b4de4f835a

    SHA512

    c487cf485160ead488ad3939b0c9dbae3de582f5c987ade9febb6db3a8595ba5a75c884f4e94198427724b9d068559135124a26ea52a52b23a239a1c369527fa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ventural\Venmon.ini
    Filesize

    128B

    MD5

    adc82d2e470a24c55de1b146084c9051

    SHA1

    f2161ba2168e6709d70f13d8631e55392035220a

    SHA256

    bf764d8b55eba8a1954a80d69aa5aab4be46748576168baf661a4da2370d6944

    SHA512

    dc6bc705c9c03ef79e6f0db43b9dc6eeacb6cf6eca58ce705d2756bb55eed2bceb6810ad80153a0ccc3343088d69fde3700602e81fa5eabd1affde1004b4bb9b

    Download Submit