Affected Platforms: Microsoft Wi 2026-5-15 13:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:16 收藏
Affected Platforms: Microsoft Windows
Impacted Users: Any organization
Impact: Attackers Stolen data may be leveraged for follow-on attacks
Severity Level: High
The use of steganography in the threat landscape continues to accelerate. Threat actors are increasingly shifting from direct encrypted transfers to a 'legitimate-file-plus-hidden-data' model, effectively masking their next-stage payloads within everyday media.
FortiGuard Labs recently uncovered a phishing campaign that abuses environment variables to hide malicious commands and uses PawsRunner as a Steganography Loader to deploy the .NET infostealer PureLogs.
Figure 1: Attack flow
This blog outlines the malware's delivery vector and provides a technical analysis of PawsRunner and the subsequent deployment of an evolved PureLogs payload.
Initial Access
The attack campaign begins with a phishing email containing an TXZ archive (an XZ-compressed TAR file) as an attachment, as illustrated in Figure 2. It uses an invoice-themed lure and a sense of urgency to prompt the recipient to open the attachment without delay.
Figure 2: The phishing e-mail
JavaScript
The JavaScript file extracted from the archive contains several functions, each preceded by irrelevant comments. These comments are in a mix of languages, including Chinese, Japanese, Korean, Russian, Hindi, and Arabic, as shown in Figure 3.
Figure 3: Comments are a mix of several languages
The functions declare a large number of Process environment variables containing garbled text. It then launches conhost.exe in headless mode to hide malicious activity. The invoked PowerShell also uses the -w hidden flag to hide the PowerShell window. The command executed is specified by one of these variables.
Figure 4: One of the environment variables executed by PowerShell.
The PowerShell script first retrieves data from Process environment variables, then decodes and decrypts its payload using the AES algorithm, and finally decompresses it using the Gzip method. The resulting .NET assembly—the executable payload—is then loaded and executed dynamically via reflection in a fileless manner.
Figure 5: The resulting .NET assembly is dynamically loaded via reflection.
.NET Assembly Loader
The .Net assembly will decrypt and load the next stage, which is also an executable file.
Figure 6: The next-stage loader is loaded.
The decrypted EXE loader provides various modules. Interestingly, as shown in Figure 7, the loader commonly uses cat photos for its application icon.
Figure 7: The loader uses cat photos for its application icon.
The loader initializes static fields with configuration data, including an encrypted payload URL, user-agent, seed, magic number, and other settings. Additionally, it loads native libraries and resolves addresses for necessary API functions.
Figure 8: Initializing static fields with configuration data.
After the initial setup, the loader performs preliminary configuration to prepare for download. The download URL is decrypted using the RC4 algorithm, as shown in Figure 9.
Figure 9: The download URL is decrypted.
After that, the download module cycles through three hard-coded pairs of user-agents and three network APIs (HttpClient, WebClient, and WebRequest), as shown in Figure 10.
Figure 10: The loader iterates different network APIs to download data.
Furthermore, when issuing the download request, the loader specifies a hierarchical preference in the Accept header. It prioritizes image/png, then image/*, and finally */*, explicitly requesting the server to return a PNG image as the preferred response type if available.
The downloaded data may contain three types of content: HTML, Base64-encoded data, and a PNG file. It is processed accordingly based on its type.
- For HTML content, a new URL is extracted from the HTML, the original download link is replaced with it, and the data is then attempted to be downloaded from the updated URL.
- Base64-encoded data is first decoded. The decoded data and the PNG file are then processed in the same way: the image file uses steganography to conceal data within the picture and uses “iTXt” and “IEND” chunks as markers to locate the encrypted data. This data is then used to decrypt the next stage of the payload. Interestingly, the PNG files we have downloaded also include images of cats.
After decoding the PNG file, we obtained another .NET execution file.
Figure 11: Data embedded in the PNG file.
However, the loader also provides a fallback mechanism. If the download fails or the payload cannot be extracted from the downloaded data, it will use an alternate set of URLs from the configuration as a fallback. In the sample we’ve analyzed, the fallback URLs are empty.
After bypassing ETW and Windows 11 (24H2) security features, the next-stage payload is executed.
We have been tracking similar loaders since March of this year and have observed several evolutions. Initially, the loader simply downloaded and executed a PE file. It later transitioned to extracting an encrypted payload from image files using steganography.
Furthermore, a version discovered in early April included a persistence module. Notably, the initial versions lacked a fallback URL mechanism. However, since the beginning, the loader has consistently attempted to download data using various Network APIs, and the decrypted EXE loader has consistently used cat photos for its application icon.
Figure 12: The initial version simply downloaded and executed a PE file.
A closer examination of the loader revealed strong similarities to a previously unidentifiedprogram. Its initialization routines, naming conventions, and methods for resolving required API functions are very similar to those of that program, as illustrated in Figure 13. Consequently, we chose the name from the earlier sample and call this loader PawsRunner.
Figure 13: The loader is highly similar to PawsRunner.
The next section provides a detailed examination of 'Purelogs,' the final-stage payload delivered by PawsRunner.
PureLogs
PureLogs is an infostealer from the Pure family of products developed by PureCoder. As the most prominent member of the Pure family’s malware, it uses .NET Reactor for protection and employs Protobuf serialization for its configuration data.
In this attack campaign, the executable first loads a resource-only assembly that contains no executable code, only resource data. It then decrypts and decompresses the resource data as a .NET DLL using TripleDES and Gunzip, as shown in Figure 14.
Figure 14: Loading a resource-only assembly for the next stage.
This DLL acts as a downloader. It first parses Base64-encoded data and then deserializes it to obtain the final configuration.
Figure 15: Configuration
After retrieving the configuration, the malware extracts the C2 server details, Build ID, AES key, a mutex name, and feature flags. As shown in Figure 16, it then executes asynchronous methods to send an HTTP request to the /ping endpoint over TLS to verify connectivity. Once the connection is confirmed, it retrieves the next-stage payload by requesting the /plugin endpoint.
Figure 16: Concatenating the URL within TestConnectionAsync.
The downloaded encrypted payload must be decrypted with AES-256 in CBC mode, using the key specified in the configuration. After decryption and decompression with gzip, the PureLogs core DLL is loaded into memory, and its entry point is invoked.
PureLogs retrieves its configuration from parameters passed during invocation. Consistent with the previous layer, this component performs a connectivity test before initiating the collection routine. It first collects the victim information as detailed below and reports it to the C&C server via an HTTP request. It then gathers victim system information—as detailed below—and exfiltrates it to the C2 server via HTTP requests. This stage leverages Windows Management Instrumentation (WMI) to profile the victim's system environment. Based on the configuration, the version appears to be 5.0.0.
Figure 17: Sending the collected information to the remote server using /userinfo
Next, it performs a series of asynchronous tasks as shown in Figure 18—<CreateDemoApplicationAsync>, <CreateDemoBrowserDataAsync>, <CreateDemoBrowserDataAsync>, <CreateDemoDiscordAsync>, and <CreateDemoFileSearchAsync>—each similar to the previous version. The key difference is that, in this version, it sends updates to a remote server during each task via HTTP requests.
Figure 18: The harvesting routine is executed via asynchronous tasks.
The following is a list of harvested items:
Web browsers:
Google Chrome, Chrome Beta, Chrome SxS, Chrome Dev, Chrome Unstable, Chrome Canary, Chromium, Microsoft Edge, Brave, Epic Privacy Browser, Amigo, Vivaldi, Kometa, Orbitum, Mail.Ru Atom, Comodo Dragon, Torch, Comodo, 360 Chrome, Slimjet, Maxthon, QQ Browser, K-Meleon, Xpom, Lenovo SLBrowser, Xvast, Go!, Safer Secure Browser, Sputnik, Nichrome, CocCoc, Uran, Chromodo, 7Star, Chedot, CentBrowser, Iridium, Elements Browser, Citrio, Sleipnir, QIP Surf, Liebao, Coowon, ChromePlus, Rafotech Mustang, Suhba, TorBro, RockMelt, Bromium, Twinkstar, iTop Private Browser, CCleaner Browser, AcWebBrowser, CoolNovo, Baidu Spark, SRWare Iron, Titan Browser, AVAST Browser, AVG Browser, UC Browser, UR Browser, Blisk, Flock, CryptoTab, Sidekick, SwingBrowser, Superbird, SalamWeb, GhostBrowser, NetboxBrowser, GarenaPlus, Kinza, InsomniacBrowser, ViaSat, Naver Whale, Falkon, Sogou Explorer, Opera Stable, Opera GX, Opera Neon, Opera Crypto Developer, Yandex Browser, Firefox, SeaMonkey, Waterfox, K-Meleon, Thunderbird, IceDragon, Cyberfox, BlackHawk, Pale Moon, Basilisk, BitTube, SlimBrowser, LibreWolf, Mercury.
Extensions: (crypto wallets, password managers, and authenticators)
| lgmpcpglpngdoalbgeoldeajfclnhafa | - | SafePal |
| phkbamefinggmakgklpkljjmgibohnba | - | Pontem Aptos |
| mcohilncbfahbmgdjkbpemcciiolgcge | - | OKX |
| idnnbdplmphpflfnlkomgpfbpcgelopg | - | xverse.app |
| opfgelmcmbiajamepnmloijbpoleiama | - | Rainbow |
| ocjdpmoallmgmjbbogfiiaofphbjgchh | - | Elli-Sui |
| gojhcdgcpbpfigcaejpfhfegekdgiblk | - | Opera |
| ejjladinnckdgjemekebdpeokbikhfci | - | Petra Aptos |
| gjagmgiddbbciopjhllkdnddhcglnemk | - | Hashpack |
| afkoofjocpbclhnldmmaphappihehpma | - | zkPass TransGate |
| abogmiocnneedmmepnohnhlijcjpcifd | - | Blade-Hedera Web3 Digital |
| fcfcfllfndlomdhbehjjcoimbgofdncg | - | Leap Cosmos |
| kppfdiipphfccemcignhifpjkapfbihd | - | Frontier |
| jgaaimajipbpdogpdglhaphldakikgef | - | Coinhub |
| ifclboecfhkjbpmhgehodcjpciihhmif | - | Klever |
| loinekcabhlmhjjbocijdoimmejangoa | - | Glass-Sui |
| dngmlblcodfobpdpecaadgfbcggfjfnm | - | MultiversX DeFi |
| ebfidpplhabeedpnhjnobghokpiioolj | - | Fewcha Move |
| mmmjbcfofconkannjonfmjjajpllddbg | - | Fluvi |
| cnncmdhjacpkmjmkcafchppbnpnhdmon | - | HAVAH |
| onhogfjeacnfoofkfgppdlbmlmnplgbn | - | SubWallet - Polkadot |
| anokgmphncpekkhclmingpimjmcooifb | - | compass-wallet-for-sei |
| hbbgbephgojikajhfbomhlmmollphcad | - | Rise - Aptos |
| heefohaffomkkkphnlpohglngmbcclhi | - | Morphis |
| jkjgekcefbkpogohigkgooodolhdgcda | - | BitPay |
| ojggmchlghnjlapmfbnjholfjkiidbch | - | Venom |
| ibnejdfjmmkpcnlpebklmnkoeoihofec | - | TronLink |
| fihkakfobkmkjojpchpfgcmhfjnmnfpi | - | BitApp |
| nkbihfbeogaeaoehlefnkodbefgpgknn | - | MetaMask |
| aholpfdialjgjfhomihkjbmgjidlcdno | - | Exodus |
| egjidjbpglichdcondbcbdnbeeppgdph | - | Trust |
| jnlgamecbpmbajjfhmmmlhejkemejdma | - | Braavos Smart |
| ffnbelfdoeiohenkjibnmadjiehjhajb | - | Yoroi |
| fhbohimaelbohpjbbldcngcnapndodjp | - | Binance Chain |
| aiaifbiceejhhkfbjdgonjgljkpcdhch | - | Jaxx Liberty |
| kncchdigobghenbbaddojjnnaogfppfj | - | iWallet |
| ijmpgkjfkbfhoebgogflfebnmejmfbml | - | BitClip |
| aiifbnbfobpmeekipheeijimdpnlpgpp | - | Terra Station |
| hifafgmccdpekplomjjkcfgodnhcellj | - | EQUAL |
| amkmjjmmflddogmhpjloimipbofnfjih | - | Wombat |
| jnldfbidonfeldmalbflbmlebbipcnle | - | Nifty |
| afbcbjpbpfadlkmhmclhkeeodmamcflc | - | Math |
| hpglfhgfnhbgpjdenjgmdgoeiappafln | - | Guarda |
| aeachknmefphepccionboohckonoeemg | - | Coin98 |
| mnfifefkajgofkcjkemidiaecocnkjeh | - | TezBox |
| dkdedlpgdmmkkfjabffeganieamfklkm | - | Cyano |
| hnfanknocfeofbddgcijnmhnfnkdnaad | - | Coinbase |
| bfnaelmomeimhlpmgjnjophhpkkoljpa | - | Phantom |
| fcckkdbjnoikooededlapcalpionmalo | - | MOBOX |
| bocpokimicclpaiekenaeelehdjllofo | - | XDCPay |
| bhhhlbepdkbapadjdnnojkbgioiodbic | - | Solana |
| cmndjbecilbocjfkibfbifhngkdmjgog | - | Swash |
| cjmkndjhnagcfbpiemnkdpomccnjblmj | - | Finnie |
| dmkamcknogkgcdfhhbddcghachkejeap | - | Keplr |
| kpfopkelmapcoipemfendmdcghnegimn | - | Liquality |
| hgmoaheomcjnaheggkfafnjilfcefbmo | - | Rabet |
| fnjhmkhhmkbjkkabndcnnogagogbneec | - | Ronin |
| klnaejjgbibmhlephnhpmaofohgkpgkd | - | ZilPay |
| hmeobnfnfcmdkdcmlblgagmfpfboieaf | - | XDEFI |
| lpilbniiabackdjcionkobglmddfbcjo | - | Waves Keeper |
| gflpckpfdgcagnbdfafmibcmkadnlhpj | - | GreenAddress |
| fhmfendgdocmcbmfikdcogofphimnkno | - | Sollet |
| flpiciilemghbmfalicajoolhkkenfel | - | ICONex |
| nlbmnnijcnlegkjjpcfjclmcfggfefdm | - | MEW CX |
| cphhlgmgameodnhkjdmkpanlelnlohao | - | NeoLine |
| hcflpincpppdclinealmandijcmnkbgn | - | KHC |
| nlgbhdfgdhgbiamfdfmbikcdghidoadd | - | Byone |
| ilbbpajmiplgpehdikmejfemfklpkmke | - | OneKey |
| pfknkoocfefiocadajpngdknmkjgakdg | - | MetaWallet |
| bhmlbgebokamljgnceonbncdofmmkedg | - | Atomic |
| hieplnfojfccegoloniefimmbfjdgcgp | - | Electrum |
| pidhddgciaponoajdngciiemcflpnnbg | - | Mycelium |
| blbpgcogcoohhngdjafgpoagcilicpjh | - | Coinomi |
| doljkehcfhidippihgakcihcmnknlphh | - | Edge |
| nbokbjkelpmlgflobbohapifnnenbjlh | - | BRD |
| apjdnokplgcjkejimjdfjnhmjlbpgkdi | - | Samourai |
| jifanbgejlbcmhbbdbnfbfnlmbomjedj | - | Bread |
| dojmlmceifkfgkgeejemfciibjehhdcl | - | KeepKey |
| pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln | - | Ledger Live |
| hbpfjlflhnmkddbjdchbbifhllgmmhnm | - | Ledger |
| ocmfilhakdbncmojmlbagpkjfbmeinbd | - | Bitbox |
| dbhklojmlkgmpihhdooibnmidfpeaing | - | Digital Bitbox |
| pnlccmojcmeohlpggmfnbbiapkmbliob | - | RoboForm |
| cnlhokffphohmfcddnibpohmkdfafdli | - | MultiPassword |
| aeblfdkhhhdcdjpifhhbdiojplfjncoa | - | 1Password-fox |
| fdjamakpfbbddfjaooikfcpapjohcfmg | - | Dashlane |
| lgbjhdkjmpgjgcbcdlhkokkckpjmedgc | - | DualSafe Password Manager |
| imloifkgjagghnncjkhggdhalmcnfklk | - | Trezor Password Manager |
| gaedmjdfmmahhbjefcbgaolhhanlaolb | - | Authy |
| bhghoamapcdpbohphigoooaddinpkbai | - | Authenticator |
| ilgcnhelpchnceeipipijaljkblbcobl | - | GAuth Authenticator |
| oeljdldpnmdbchonielidgobddffflal | - | EOS Authenticator |
| oboonakemofpalcgghocfoadofidjkkk | - | KeePassXC |
| nngceckbapebfimnlniiiahkandclblb | - | Bitwarden |
| fooolghllnmhmmndgjiamiiodkpenpbb | - | NordPass |
| bfogiafebfohielmmehodmfbbebbbpei | - | Keeper |
| hdokiejnpimakedhajhdlcegeplioahd | - | LastPass |
| naepdomgkenhinolocfifgehidddafch | - | BrowserPass |
| bmikpgodpkclnkgmnpphehdgcimmided | - | MYKI |
| jhfjfclepacoldmjmkmdlmganfaalklb | - | Splikity |
| chgfefjpcobfbnpmiokfjjaglahmnded | - | CommonKey |
| nhhldecdfagpbfggphklkaeiocfnaafm | - | SAASPASS |
| fpabdmjmldajnkijknogckkhlmbnfiog | - | Telos Authenticator |
| igkpcodhieompeloncfnbekccinhapdb | - | Zoho Vault |
| admmjipmmciaobhojoghlmleefbicajg | - | Norton Password Manager |
| caljgklbbfbcjjanaijlacgncafpegll | - | Avira Password Manager |
| ppdjlkfkedmidmclhakfncpfdmdgmjpm | - | Aegis Authenticator |
| cfoajccjibkjhbdjnpkbananbejpkkjb | - | LastPass Authenticator |
| lbfeahdfdkibininjgejjgpdafeopflb | - | KeePass |
| eidlicjlkaiefdbgmdepmmicpbggmhoj | - | Duo Mobile |
| bobfejfdlhnabgglompioclndjejolch | - | OTP Auth |
| elokfmmmjbadpgdjmgglocapdckdcpkn | - | FreeOTP |
| klghhnkeealcohjjanjjdaeeggmfmlpl | - | Zerion |
| pdliaogehgdbhbnmkklieghmmjkpigpa | - | Bybit |
| cpmkedoipcpimgecpmgpldfpohjplkpp | - | Gate |
| jiidiaalihmmhddjgbnbgdfflelocpak | - | Bitget |
| apenkfbbpmhihehmihndmmcdanacolnh | - | SafePal |
| cpojfbodiccabbabgimdeohkkpjfpbnf | - | Rainbow |
| ejbalbakoplchlghecdalmeeeajnimhm | - | MetaMask |
| hkkpjehhcnhgefhbdcgfkeegglpjchdc | - | Braavos Smart |
| akoiaibnepcedcplijmiamnaigbepmcb | - | Yoroi |
| mlbafbjadjidklbhgopoamemfibcpdfi | - | Binance Chain |
| ajkhoeiiokighlmdnlakpjfoobnjinie | - | Terra Station |
| nggcakhlblakghejdigkaekbhicfkckn | - | EQUAL |
| oemdnnhhfhdhilalibobndhoahcaiboe | - | Wombat |
| dfeccadlilpndjjohbjdblepmjeahlmm | - | Math |
| iaociiajffacjhhmleclkjdchjhdmjpb | - | TezBox |
| ocodgmmffbkkeecmadcijjhkmeohinei | - | Keplr |
| kjmoohlgokccodicjjfebfomlbljgfhk | - | Ronin |
| nkaemodamjfefjgbefolnpnlccpdfpap | - | Waves Keeper |
| bbcinlkgjjkejfdpemiealijmmooekmp | - | LastPass |
| lfochlioelphaglamdcakfjemolpichk | - | Keeper Password Manager |
| jbkfoedolllekgbhcbcoahefnbanhhlh | - | bitwarden |
| ljfpcifpgbbchoddpjefaipoiigpdmag | - | RoboForm |
| ocglkepbibnalbgmbachknglpdipeoio | - | Authenticator |
| dppgmdbiimibapkepcbdbmkaabgiofem | - | 1Password |
| pdffhmdngciaglkoonimfcmckehcpafo | - | KeePassXC |
| gehmmocbbkpblljhkekmfhjpfbkclbph | - | Dashlane |
| nofkfblpeailgignhkbnapbephdnmbmn | - | MYKI |
| ghocjofkdpicneaokfekohclmkfmepbp | - | Exodus Web3 |
| heaomjafhiehddpnmncmhhpjaloainkn | - | Trust |
| djclckkglechooblngghdinmeemkbgci | - | MetaMask |
| acdamagkdfmpkclpoglgnbddngblgibo | - | Guarda |
| okejhknhopdbemmfefjglkdfdhpfmflg | - | BitKeep |
| mijjdbgpgbflkaooedaemnlciddmamai | - | Waves Keeper |
Wallet applications:
Qtum, Ethereum, Bitcoin, Dogecoin, Monero, DashCore, Litecoin, Bytecoin, Coinomi, Armory, MultiBit, Exodus, Electrum, Electrum-LTC, Atomic, Guarda, BitPay, Wasabi, ElectronCash, Sparrow, IOCoin, PPCoin, BBQCoin, Mincoin, DevCoin, YACoin, Franko, FreiCoin, InfiniteCoin, GoldCoin, Binance, Terracoin, Daedalus Mainnet, MyMonero, MyCrypto, Bisq, Zap, Simpleos, Neon, bitmonero, Etherwall.
Communication applications:
Discord, DiscordCanary, DiscordPTB, DiscordDevelopment, Lightcord, Telegram, Signal, Pidgin.
Others:
Steam, OpenVpn, PhontanVPN, Ngrok, OBS Studio, FileZilla, WinSCP, FoxMail, MailBird, MailMaster, Outlook.
For C2 communication, instead of using sockets like the previous version, it uses HTTP requests with different endpoints for each action, including /ping, /plugin, /userinfo, /browser, /application, /crypto, /discord, /filesearch/req, /filesearch/res, and /finish.
As shown in Figure 19, PureLogs transmitted the harvested data through multiple requests, using specified URLs and the POST method based on the type of collected data. All transmitted data was encrypted with AES and compressed with Gzip.
Figure 19: Network Communication with C2.
Conclusion
Don't let seemingly harmless media files fool you. Increasingly, malware uses steganography to hide within these files. From strange bitmaps to cute cat pictures, everyday images are being weaponized to secretly transmit encrypted malicious code across networks without raising suspicion.
In this article, we uncovered an attack campaign involving a new steganography loader, PawsRunner, to deliver the well-known .NET infostealer, PureLogs. The infection chain begins with a phishing email that delivers a TXZ archive. The embedded JavaScript uses a sophisticated technique to store decoded malicious commands in environment variables, which then triggers a decrypted steganographic .NET loader. This loader retrieves the final payload by extracting encrypted data hidden within a cat image. This version of PureLogs uses extensive async/await patterns to improve task efficiency and complicate analysis. Additionally, it uses HTTPS for its Command and Control (C2) communications.
Fortinet Protections
The malware described in this report are detected and blocked by FortiGuard Antivirus as:
EML/Phishing.973A!tr
JS/Formbook.VEN!tr
MSIL/Agent.6942!tr
MSIL/WSA!tr
MSIL/Kryptik.AQAJ!tr
MSIL/WOF!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard Antivirus Service. The FortiGuard antivirus engine is included in each of those solutions. As a result, customers with these products and up-to-date protections are protected, and customers can enforce the blocking of the unusual TXZ file format.
The FortiGuard CDR (content disarm and reconstruction) service can disarm malicious macros within the document.
FortiGuard Labs provides the Purelogs.Botnet IPS signature to block communications with the PureLogs C2 network.
We also suggest that organizations take the free Fortinet Certified Fundamentals (FCF) cybersecurity training. The training is designed to help users understand today's threat landscape and to introduce basic cybersecurity concepts and technology.
FortiGuard IP Reputation and the Anti-Botnet Security Service proactively block malware attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence on hostile sources.
If you believe this or any other cybersecurity threat has affected your organization, please contact the Global FortiGuard Incident Response Team.
IOCs
C2:
5[.]101[.]84[.]202
URLs:
hxxps://everycarebd[.]com/imagelkjh0987[.]png
SHA256:
8d0bcde739929fe41a6bcaaa62f7cba802af90b2ba8dea6ed1a4821236cdd588
6910d27b9e1dc2229a8c280f5d0cea85146d50274c56a4d9a5b8d1793505b1b9
93724f1a9ad3a28c171927fc449ac34dc6ca890f915f00210e8b305577388c6e
0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e
1b730de72f921458b6b162b105a9521a931f07e19d3cac53207c7a8efbc412f9
e2308749f6b7b7573009d0cac6616a6aa83cecb1f2933e868776400d122c86ec
如有侵权请联系:admin#unsafe.sh