Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
65s -
max time network
71s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
29/08/2023, 19:25
Static task
static1
Behavioral task
behavioral1
Sample
e970e0ea04a9999382c8cb97b9d6cfa57005967e520da832642255bea1d7c5e4.exe
Resource
win10-20230703-en
Errors
General
-
Target
e970e0ea04a9999382c8cb97b9d6cfa57005967e520da832642255bea1d7c5e4.exe
-
Size
704KB
-
MD5
99bacda620b636f0c426ff01fb2e90c6
-
SHA1
9ee5772e5d8b7cee25253eee74db01e933ba5b37
-
SHA256
e970e0ea04a9999382c8cb97b9d6cfa57005967e520da832642255bea1d7c5e4
-
SHA512
60b246f832a2362f62bcaac4c01af287e84fe15a8ca431092f0398c99fc69d2d1af573f042489c21b720504e058078167630bfe3c8c486ab7908d778f6a5993a
-
SSDEEP
12288:+MrNy90Pf285npnOHMva/73T8xiVDXtmhX2rmwoZI90tWzPoSAWG:zyo+85npnuIa/73T8ADBmweICAtAWG
Malware Config
Extracted
amadey
3.87
77.91.68.18/nice/index.php
Extracted
redline
sruta
77.91.124.82:19071
-
auth_value
c556edcd49703319eca74247de20c236
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001b03c-26.dat healer behavioral1/files/0x000700000001b03c-27.dat healer behavioral1/memory/2736-28-0x0000000000E00000-0x0000000000E0A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" g0608754.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" g0608754.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" g0608754.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" g0608754.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" g0608754.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 8 IoCs
pid Process 5044 x1116272.exe 2992 x4723498.exe 4468 x3472103.exe 2736 g0608754.exe 4476 h8339263.exe 1592 saves.exe 4824 i7077733.exe 4712 saves.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" g0608754.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x4723498.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x3472103.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e970e0ea04a9999382c8cb97b9d6cfa57005967e520da832642255bea1d7c5e4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1116272.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4432 schtasks.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2736 g0608754.exe 2736 g0608754.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2736 g0608754.exe Token: SeShutdownPrivilege 3780 shutdown.exe Token: SeRemoteShutdownPrivilege 3780 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4776 LogonUI.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 4616 wrote to memory of 5044 4616 e970e0ea04a9999382c8cb97b9d6cfa57005967e520da832642255bea1d7c5e4.exe 70 PID 4616 wrote to memory of 5044 4616 e970e0ea04a9999382c8cb97b9d6cfa57005967e520da832642255bea1d7c5e4.exe 70 PID 4616 wrote to memory of 5044 4616 e970e0ea04a9999382c8cb97b9d6cfa57005967e520da832642255bea1d7c5e4.exe 70 PID 5044 wrote to memory of 2992 5044 x1116272.exe 71 PID 5044 wrote to memory of 2992 5044 x1116272.exe 71 PID 5044 wrote to memory of 2992 5044 x1116272.exe 71 PID 2992 wrote to memory of 4468 2992 x4723498.exe 72 PID 2992 wrote to memory of 4468 2992 x4723498.exe 72 PID 2992 wrote to memory of 4468 2992 x4723498.exe 72 PID 4468 wrote to memory of 2736 4468 x3472103.exe 73 PID 4468 wrote to memory of 2736 4468 x3472103.exe 73 PID 4468 wrote to memory of 4476 4468 x3472103.exe 74 PID 4468 wrote to memory of 4476 4468 x3472103.exe 74 PID 4468 wrote to memory of 4476 4468 x3472103.exe 74 PID 4476 wrote to memory of 1592 4476 h8339263.exe 75 PID 4476 wrote to memory of 1592 4476 h8339263.exe 75 PID 4476 wrote to memory of 1592 4476 h8339263.exe 75 PID 2992 wrote to memory of 4824 2992 x4723498.exe 76 PID 2992 wrote to memory of 4824 2992 x4723498.exe 76 PID 2992 wrote to memory of 4824 2992 x4723498.exe 76 PID 1592 wrote to memory of 4432 1592 saves.exe 77 PID 1592 wrote to memory of 4432 1592 saves.exe 77 PID 1592 wrote to memory of 4432 1592 saves.exe 77 PID 1592 wrote to memory of 4968 1592 saves.exe 78 PID 1592 wrote to memory of 4968 1592 saves.exe 78 PID 1592 wrote to memory of 4968 1592 saves.exe 78 PID 4968 wrote to memory of 3928 4968 cmd.exe 81 PID 4968 wrote to memory of 3928 4968 cmd.exe 81 PID 4968 wrote to memory of 3928 4968 cmd.exe 81 PID 4968 wrote to memory of 2032 4968 cmd.exe 82 PID 4968 wrote to memory of 2032 4968 cmd.exe 82 PID 4968 wrote to memory of 2032 4968 cmd.exe 82 PID 4968 wrote to memory of 2472 4968 cmd.exe 83 PID 4968 wrote to memory of 2472 4968 cmd.exe 83 PID 4968 wrote to memory of 2472 4968 cmd.exe 83 PID 4968 wrote to memory of 2152 4968 cmd.exe 84 PID 4968 wrote to memory of 2152 4968 cmd.exe 84 PID 4968 wrote to memory of 2152 4968 cmd.exe 84 PID 4968 wrote to memory of 3676 4968 cmd.exe 85 PID 4968 wrote to memory of 3676 4968 cmd.exe 85 PID 4968 wrote to memory of 3676 4968 cmd.exe 85 PID 4968 wrote to memory of 5056 4968 cmd.exe 86 PID 4968 wrote to memory of 5056 4968 cmd.exe 86 PID 4968 wrote to memory of 5056 4968 cmd.exe 86 PID 4712 wrote to memory of 1996 4712 saves.exe 88 PID 4712 wrote to memory of 1996 4712 saves.exe 88 PID 4712 wrote to memory of 1996 4712 saves.exe 88 PID 1996 wrote to memory of 3780 1996 cmd.exe 90 PID 1996 wrote to memory of 3780 1996 cmd.exe 90 PID 1996 wrote to memory of 3780 1996 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e970e0ea04a9999382c8cb97b9d6cfa57005967e520da832642255bea1d7c5e4.exe"C:\Users\Admin\AppData\Local\Temp\e970e0ea04a9999382c8cb97b9d6cfa57005967e520da832642255bea1d7c5e4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1116272.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1116272.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4723498.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4723498.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3472103.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3472103.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0608754.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0608754.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8339263.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8339263.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F7⤵
- Creates scheduled task(s)
PID:4432
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:3928
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"8⤵PID:2032
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E8⤵PID:2472
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2152
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"8⤵PID:3676
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E8⤵PID:5056
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7077733.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7077733.exe4⤵
- Executes dropped EXE
PID:4824
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k shutdown -s -t 02⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\shutdown.exeshutdown -s -t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aea855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4776
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
599KB
MD502ce4909c21ba2ad6860464634e5946c
SHA19c626c6635d1ff9735511003a87439debaf1e8ec
SHA256c00cad1a1710758824295ae3998dba5e66186829356759f3a8c955d8187e9224
SHA5127e97dcb6539bebc53dd287c7333ab0464784470341f8b161e93ed17150cf4ec85e94dbcbd305f154e81cfbe5aeb5cfaaefb22e2a365a4f390e60012f2101e8ee
-
Filesize
599KB
MD502ce4909c21ba2ad6860464634e5946c
SHA19c626c6635d1ff9735511003a87439debaf1e8ec
SHA256c00cad1a1710758824295ae3998dba5e66186829356759f3a8c955d8187e9224
SHA5127e97dcb6539bebc53dd287c7333ab0464784470341f8b161e93ed17150cf4ec85e94dbcbd305f154e81cfbe5aeb5cfaaefb22e2a365a4f390e60012f2101e8ee
-
Filesize
433KB
MD55f845f80e1609ad7e84ee456f3d29a70
SHA16124324cb2788efe77d8ffcfb60e5adae3174c42
SHA256dfb0ce123b1798f407989d2997f3b8561e55e8e2b10b836121625a4b705c064e
SHA5124bc6b26fe885efee0d2c7cd5410c118db32865adf622c327cfdefef1a0f67747839d8c137db842a1179cf3affe5648c716da6cb303cf39b466bae0100a219958
-
Filesize
433KB
MD55f845f80e1609ad7e84ee456f3d29a70
SHA16124324cb2788efe77d8ffcfb60e5adae3174c42
SHA256dfb0ce123b1798f407989d2997f3b8561e55e8e2b10b836121625a4b705c064e
SHA5124bc6b26fe885efee0d2c7cd5410c118db32865adf622c327cfdefef1a0f67747839d8c137db842a1179cf3affe5648c716da6cb303cf39b466bae0100a219958
-
Filesize
174KB
MD59f111b55325f4f86f3362d0bd61a7bfc
SHA1c6bce50a0647dd97e7f2c6d9a867c64e0e9eba0f
SHA256c5402adbd5fd83ef77ab678be5b47dbf3350e8a4902b642a13e836fad4e72b70
SHA51268ed7d29debf9ed2d59887849b2dbe068025ac62ba66e829ba8c6e0afad37436f9bd75ca5b8a02a507da7a007c7cf4f31fba77153b6b524d738f8a2413bd2e5f
-
Filesize
174KB
MD59f111b55325f4f86f3362d0bd61a7bfc
SHA1c6bce50a0647dd97e7f2c6d9a867c64e0e9eba0f
SHA256c5402adbd5fd83ef77ab678be5b47dbf3350e8a4902b642a13e836fad4e72b70
SHA51268ed7d29debf9ed2d59887849b2dbe068025ac62ba66e829ba8c6e0afad37436f9bd75ca5b8a02a507da7a007c7cf4f31fba77153b6b524d738f8a2413bd2e5f
-
Filesize
277KB
MD5766341533723a6856cb1e0d0e420c4eb
SHA192d8759ccdd79daa9dd84dae880ba314c9e5e77a
SHA256e7ba9dd0c226b6fd4548c25e8debfce190fc6ae4513a74e493133319aec5b131
SHA512808822a26272853e45d7d580334e28239a777588504704f27c3543640a6616d04d6d3c45fbce9287b04244fdb8f064434ec84400531befcef37bbdf48f13a45c
-
Filesize
277KB
MD5766341533723a6856cb1e0d0e420c4eb
SHA192d8759ccdd79daa9dd84dae880ba314c9e5e77a
SHA256e7ba9dd0c226b6fd4548c25e8debfce190fc6ae4513a74e493133319aec5b131
SHA512808822a26272853e45d7d580334e28239a777588504704f27c3543640a6616d04d6d3c45fbce9287b04244fdb8f064434ec84400531befcef37bbdf48f13a45c
-
Filesize
17KB
MD559d78c92d78f220e904a00101aaedc6c
SHA1b13cf6555512ae3eeeea47665ca5dd7a1ed09226
SHA2563b5a45481d2e11f401837d0c53557f47fef4939cdcfeab8392f3f1fdd260a69e
SHA512f6665d15ec813b15e9a6f48ecc23951ea0d6fe667e889915ef666c76e34bd69c18451ccbecff66dad18ec70e26927d6d9f23259f6ddba2e2d4475889b42c27f0
-
Filesize
17KB
MD559d78c92d78f220e904a00101aaedc6c
SHA1b13cf6555512ae3eeeea47665ca5dd7a1ed09226
SHA2563b5a45481d2e11f401837d0c53557f47fef4939cdcfeab8392f3f1fdd260a69e
SHA512f6665d15ec813b15e9a6f48ecc23951ea0d6fe667e889915ef666c76e34bd69c18451ccbecff66dad18ec70e26927d6d9f23259f6ddba2e2d4475889b42c27f0
-
Filesize
325KB
MD541c1552adc391a47e62a1be19281a003
SHA1533b08aee3313530c96ccf1ca9e16e26e216585f
SHA2560689cece670edb4a86f6f7c04f3337bc385bec553c987782f57db254a1de7d0f
SHA5128c4fe9d68cc4319c650e4ff245ff043d40646d1b01b5e27b0dc23c1037b192a566a7ecd84c68da0fc5c1ff503eb77eb05f098bc00f97f777fca8d2707c96659f
-
Filesize
325KB
MD541c1552adc391a47e62a1be19281a003
SHA1533b08aee3313530c96ccf1ca9e16e26e216585f
SHA2560689cece670edb4a86f6f7c04f3337bc385bec553c987782f57db254a1de7d0f
SHA5128c4fe9d68cc4319c650e4ff245ff043d40646d1b01b5e27b0dc23c1037b192a566a7ecd84c68da0fc5c1ff503eb77eb05f098bc00f97f777fca8d2707c96659f
-
Filesize
325KB
MD541c1552adc391a47e62a1be19281a003
SHA1533b08aee3313530c96ccf1ca9e16e26e216585f
SHA2560689cece670edb4a86f6f7c04f3337bc385bec553c987782f57db254a1de7d0f
SHA5128c4fe9d68cc4319c650e4ff245ff043d40646d1b01b5e27b0dc23c1037b192a566a7ecd84c68da0fc5c1ff503eb77eb05f098bc00f97f777fca8d2707c96659f
-
Filesize
325KB
MD541c1552adc391a47e62a1be19281a003
SHA1533b08aee3313530c96ccf1ca9e16e26e216585f
SHA2560689cece670edb4a86f6f7c04f3337bc385bec553c987782f57db254a1de7d0f
SHA5128c4fe9d68cc4319c650e4ff245ff043d40646d1b01b5e27b0dc23c1037b192a566a7ecd84c68da0fc5c1ff503eb77eb05f098bc00f97f777fca8d2707c96659f
-
Filesize
325KB
MD541c1552adc391a47e62a1be19281a003
SHA1533b08aee3313530c96ccf1ca9e16e26e216585f
SHA2560689cece670edb4a86f6f7c04f3337bc385bec553c987782f57db254a1de7d0f
SHA5128c4fe9d68cc4319c650e4ff245ff043d40646d1b01b5e27b0dc23c1037b192a566a7ecd84c68da0fc5c1ff503eb77eb05f098bc00f97f777fca8d2707c96659f
-
Filesize
325KB
MD541c1552adc391a47e62a1be19281a003
SHA1533b08aee3313530c96ccf1ca9e16e26e216585f
SHA2560689cece670edb4a86f6f7c04f3337bc385bec553c987782f57db254a1de7d0f
SHA5128c4fe9d68cc4319c650e4ff245ff043d40646d1b01b5e27b0dc23c1037b192a566a7ecd84c68da0fc5c1ff503eb77eb05f098bc00f97f777fca8d2707c96659f