Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2023, 19:57
Static task
static1
Behavioral task
behavioral1
Sample
48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe
Resource
win10v2004-20230703-en
General
-
Target
48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe
-
Size
704KB
-
MD5
41e0df44861db485fe4bfd5a4afa6191
-
SHA1
a2125ec84fe54a8b8cf6d92d2563bedf63e7679c
-
SHA256
48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d
-
SHA512
59d54ddda53cc7dd73fabacb12e952db39acb1d4cca9e02016b666164df02b840ffca9825daa2f612c22e7e23b163a6856f247d310f9b547c3a4b21bc61328f1
-
SSDEEP
12288:sMrfy90OM5P05xb/L4lq716Sd70fekpB7ov6kOoTpGmq86dabCZk/TSgb:7yq05V4lY3hNO9C6kBTpw8caBmi
Malware Config
Extracted
amadey
3.87
77.91.68.18/nice/index.php
Extracted
redline
gogi
77.91.124.73:19071
-
auth_value
c7dbabcf1eff128a595c7532cb5489a8
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x00080000000231c4-26.dat healer behavioral1/files/0x00080000000231c4-27.dat healer behavioral1/memory/464-28-0x0000000000130000-0x000000000013A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" g1430632.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection g1430632.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" g1430632.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" g1430632.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" g1430632.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" g1430632.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 9 IoCs
pid Process 4904 x1673477.exe 4656 x6581872.exe 2864 x9661951.exe 464 g1430632.exe 1088 h2926418.exe 4312 saves.exe 4960 i1872491.exe 400 saves.exe 100 saves.exe -
Loads dropped DLL 1 IoCs
pid Process 4304 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" g1430632.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1673477.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x6581872.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x9661951.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2300 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1972 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 464 g1430632.exe 464 g1430632.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 464 g1430632.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2352 wrote to memory of 4904 2352 48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe 83 PID 2352 wrote to memory of 4904 2352 48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe 83 PID 2352 wrote to memory of 4904 2352 48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe 83 PID 4904 wrote to memory of 4656 4904 x1673477.exe 84 PID 4904 wrote to memory of 4656 4904 x1673477.exe 84 PID 4904 wrote to memory of 4656 4904 x1673477.exe 84 PID 4656 wrote to memory of 2864 4656 x6581872.exe 85 PID 4656 wrote to memory of 2864 4656 x6581872.exe 85 PID 4656 wrote to memory of 2864 4656 x6581872.exe 85 PID 2864 wrote to memory of 464 2864 x9661951.exe 86 PID 2864 wrote to memory of 464 2864 x9661951.exe 86 PID 2864 wrote to memory of 1088 2864 x9661951.exe 91 PID 2864 wrote to memory of 1088 2864 x9661951.exe 91 PID 2864 wrote to memory of 1088 2864 x9661951.exe 91 PID 1088 wrote to memory of 4312 1088 h2926418.exe 92 PID 1088 wrote to memory of 4312 1088 h2926418.exe 92 PID 1088 wrote to memory of 4312 1088 h2926418.exe 92 PID 4656 wrote to memory of 4960 4656 x6581872.exe 93 PID 4656 wrote to memory of 4960 4656 x6581872.exe 93 PID 4656 wrote to memory of 4960 4656 x6581872.exe 93 PID 4312 wrote to memory of 1972 4312 saves.exe 94 PID 4312 wrote to memory of 1972 4312 saves.exe 94 PID 4312 wrote to memory of 1972 4312 saves.exe 94 PID 4312 wrote to memory of 4132 4312 saves.exe 96 PID 4312 wrote to memory of 4132 4312 saves.exe 96 PID 4312 wrote to memory of 4132 4312 saves.exe 96 PID 4132 wrote to memory of 3760 4132 cmd.exe 98 PID 4132 wrote to memory of 3760 4132 cmd.exe 98 PID 4132 wrote to memory of 3760 4132 cmd.exe 98 PID 4132 wrote to memory of 3172 4132 cmd.exe 99 PID 4132 wrote to memory of 3172 4132 cmd.exe 99 PID 4132 wrote to memory of 3172 4132 cmd.exe 99 PID 4132 wrote to memory of 3408 4132 cmd.exe 100 PID 4132 wrote to memory of 3408 4132 cmd.exe 100 PID 4132 wrote to memory of 3408 4132 cmd.exe 100 PID 4132 wrote to memory of 2228 4132 cmd.exe 102 PID 4132 wrote to memory of 2228 4132 cmd.exe 102 PID 4132 wrote to memory of 2228 4132 cmd.exe 102 PID 4132 wrote to memory of 2808 4132 cmd.exe 101 PID 4132 wrote to memory of 2808 4132 cmd.exe 101 PID 4132 wrote to memory of 2808 4132 cmd.exe 101 PID 4132 wrote to memory of 1516 4132 cmd.exe 103 PID 4132 wrote to memory of 1516 4132 cmd.exe 103 PID 4132 wrote to memory of 1516 4132 cmd.exe 103 PID 4312 wrote to memory of 4304 4312 saves.exe 110 PID 4312 wrote to memory of 4304 4312 saves.exe 110 PID 4312 wrote to memory of 4304 4312 saves.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe"C:\Users\Admin\AppData\Local\Temp\48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1673477.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1673477.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6581872.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6581872.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9661951.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9661951.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1430632.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1430632.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2926418.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2926418.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F7⤵
- Creates scheduled task(s)
PID:1972
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:3760
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"8⤵PID:3172
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E8⤵PID:3408
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"8⤵PID:2808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2228
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E8⤵PID:1516
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:4304
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1872491.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1872491.exe4⤵
- Executes dropped EXE
PID:4960
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:400
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:100
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2300
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
598KB
MD57eb89f72a5c6ab5596eb35ae3d32ba88
SHA131efb2f7b9ce0434484c4294ec267b711b5ed77d
SHA2568810508ee607c22f1a02adcf20304d16ea6ecf28e26b3f6edc5f1c543f2eb147
SHA512e3f898e2152320ad0baf79b4acc9887462854b60669d642a35eacfbdbd5ba624163356e6a0b9ee37c29ec0027ab9318670b226c8f98c3854e779ca74421d2699
-
Filesize
598KB
MD57eb89f72a5c6ab5596eb35ae3d32ba88
SHA131efb2f7b9ce0434484c4294ec267b711b5ed77d
SHA2568810508ee607c22f1a02adcf20304d16ea6ecf28e26b3f6edc5f1c543f2eb147
SHA512e3f898e2152320ad0baf79b4acc9887462854b60669d642a35eacfbdbd5ba624163356e6a0b9ee37c29ec0027ab9318670b226c8f98c3854e779ca74421d2699
-
Filesize
433KB
MD5cec13fc8a517920bb43393d0c726a1fd
SHA1939aea459a84eca794e7a3f4f6303c5b3b59e4c5
SHA256e7d50b9473f99b363590f8fb5a1179cdf170cac611103575ae24e5cb36d89bcc
SHA5129b7dd963f19bc6fd2b1395ec677de3a75cb2b2a2f3835c789aa55ad852e1b344eb77eceb0219d2ee809a03282edc05a22ba099954d082285ba206c289443981c
-
Filesize
433KB
MD5cec13fc8a517920bb43393d0c726a1fd
SHA1939aea459a84eca794e7a3f4f6303c5b3b59e4c5
SHA256e7d50b9473f99b363590f8fb5a1179cdf170cac611103575ae24e5cb36d89bcc
SHA5129b7dd963f19bc6fd2b1395ec677de3a75cb2b2a2f3835c789aa55ad852e1b344eb77eceb0219d2ee809a03282edc05a22ba099954d082285ba206c289443981c
-
Filesize
173KB
MD5a37eb9402773d3f1ee9707cbf8785b6e
SHA16422a641a70ae761d335260ebd0c6beb3a724fcb
SHA256d6f7b74ebe511a7044cbff930f6d61c8e98467b796b062118e99c1d469d54f98
SHA512e523b1b6bcaf720fa630c08b47fd3ac4e43c309420df1d671907fe31566488a04c2c3306d56b31bc7f5a48a823659f8a7bd1bb9570ebbfaa5a8e6be90df589dd
-
Filesize
173KB
MD5a37eb9402773d3f1ee9707cbf8785b6e
SHA16422a641a70ae761d335260ebd0c6beb3a724fcb
SHA256d6f7b74ebe511a7044cbff930f6d61c8e98467b796b062118e99c1d469d54f98
SHA512e523b1b6bcaf720fa630c08b47fd3ac4e43c309420df1d671907fe31566488a04c2c3306d56b31bc7f5a48a823659f8a7bd1bb9570ebbfaa5a8e6be90df589dd
-
Filesize
277KB
MD5accfb7f486fbbf6d57c3e0c919371389
SHA1311ceea65111b5018f315e2a0807e36ae21575ab
SHA256c22a7173c1c6fab129f1652b3a452c15ff4bfe22dd202a0a10c284fe19782517
SHA512dfbae15c1896521f9d5a75e32ff2558f82e5d6073f9b8282f8e82aad022445c713a68286f1bff1ca2b6a05873f589f45d6d72686467641b532fde6bc825082df
-
Filesize
277KB
MD5accfb7f486fbbf6d57c3e0c919371389
SHA1311ceea65111b5018f315e2a0807e36ae21575ab
SHA256c22a7173c1c6fab129f1652b3a452c15ff4bfe22dd202a0a10c284fe19782517
SHA512dfbae15c1896521f9d5a75e32ff2558f82e5d6073f9b8282f8e82aad022445c713a68286f1bff1ca2b6a05873f589f45d6d72686467641b532fde6bc825082df
-
Filesize
12KB
MD5e3839584bc1c3276b6120b1e05a748a8
SHA155d531f47107d1d2ed8a2d5da69c0d7570ed32bd
SHA2561fa5f9096051c9991130b593b049dd9a53a890f2ae5367e977b79aefbda5472c
SHA5126fa2541755154b3ee41f6bdbad4828c63e5235fec4808ae4c91737ae50bbbf667480651168948d9629ad16772595af3a6dc8788b98e7dd9ec51b29973da559fa
-
Filesize
12KB
MD5e3839584bc1c3276b6120b1e05a748a8
SHA155d531f47107d1d2ed8a2d5da69c0d7570ed32bd
SHA2561fa5f9096051c9991130b593b049dd9a53a890f2ae5367e977b79aefbda5472c
SHA5126fa2541755154b3ee41f6bdbad4828c63e5235fec4808ae4c91737ae50bbbf667480651168948d9629ad16772595af3a6dc8788b98e7dd9ec51b29973da559fa
-
Filesize
317KB
MD5af3761696e8c02194fac038b63d939cb
SHA12aee36c51113c73560c7ff085165f0e9b770ed2c
SHA25673062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c
SHA5125cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2
-
Filesize
317KB
MD5af3761696e8c02194fac038b63d939cb
SHA12aee36c51113c73560c7ff085165f0e9b770ed2c
SHA25673062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c
SHA5125cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2
-
Filesize
317KB
MD5af3761696e8c02194fac038b63d939cb
SHA12aee36c51113c73560c7ff085165f0e9b770ed2c
SHA25673062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c
SHA5125cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2
-
Filesize
317KB
MD5af3761696e8c02194fac038b63d939cb
SHA12aee36c51113c73560c7ff085165f0e9b770ed2c
SHA25673062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c
SHA5125cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2
-
Filesize
317KB
MD5af3761696e8c02194fac038b63d939cb
SHA12aee36c51113c73560c7ff085165f0e9b770ed2c
SHA25673062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c
SHA5125cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2
-
Filesize
317KB
MD5af3761696e8c02194fac038b63d939cb
SHA12aee36c51113c73560c7ff085165f0e9b770ed2c
SHA25673062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c
SHA5125cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2
-
Filesize
317KB
MD5af3761696e8c02194fac038b63d939cb
SHA12aee36c51113c73560c7ff085165f0e9b770ed2c
SHA25673062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c
SHA5125cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
273B
MD5374bfdcfcf19f4edfe949022092848d2
SHA1df5ee40497e98efcfba30012452d433373d287d4
SHA256224a123b69af5a3ab0553e334f6c70846c650597a63f6336c9420bbe8f00571f
SHA512bc66dd6e675942a8b8cd776b0813d4b182091e45bfa7734b3818f58c83d04f81f0599a27625ff345d393959b8dbe478d8f1ed33d49f9bcee052c986c8665b8d7