Malware Analysis Report

2024-09-23 04:51

Sample ID 220420-vwfdmsffer
Target 0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de
SHA256 0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de
Tags
qulab discovery evasion ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de

Threat Level: Known bad

The file 0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Sets file to hidden

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Drops file in System32 directory

AutoIT Executable

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-04-20 17:20

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-20 17:20

Reported

2022-04-20 18:39

Platform

win7-20220414-en

Max time kernel

123s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
PID 1152 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
PID 1152 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
PID 1152 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
PID 1152 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
PID 1152 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
PID 1152 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
PID 1152 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
PID 1172 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 1172 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 1172 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 1172 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 1292 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
PID 1292 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
PID 1292 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
PID 1292 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
PID 1292 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Windows\SysWOW64\attrib.exe
PID 1292 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Windows\SysWOW64\attrib.exe
PID 1292 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Windows\SysWOW64\attrib.exe
PID 1292 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Windows\SysWOW64\attrib.exe
PID 1316 wrote to memory of 1276 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 1316 wrote to memory of 1276 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 1316 wrote to memory of 1276 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 1316 wrote to memory of 1276 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 1316 wrote to memory of 872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 1316 wrote to memory of 872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 1316 wrote to memory of 872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 1316 wrote to memory of 872 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe

"C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe"

C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe

"C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe"

C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe

"C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\ENU_687FE9762211651E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources"

C:\Windows\system32\taskeng.exe

taskeng.exe {49F0B25E-F28A-4E56-A5C6-A835411F3EB4} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipapi.co udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.69.226:443 ipapi.co tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
RU 45.89.19.14:11928 api.telegram.org tcp
RU 45.89.19.14:11928 api.telegram.org tcp

Files

memory/1152-54-0x00000000763E1000-0x00000000763E3000-memory.dmp

\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe

MD5 faaff4148db8cda4068234f5d5110c60
SHA1 b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391
SHA256 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1
SHA512 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0

\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe

MD5 faaff4148db8cda4068234f5d5110c60
SHA1 b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391
SHA256 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1
SHA512 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0

\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe

MD5 faaff4148db8cda4068234f5d5110c60
SHA1 b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391
SHA256 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1
SHA512 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0

\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe

MD5 faaff4148db8cda4068234f5d5110c60
SHA1 b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391
SHA256 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1
SHA512 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0

memory/908-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe

MD5 faaff4148db8cda4068234f5d5110c60
SHA1 b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391
SHA256 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1
SHA512 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0

C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe

MD5 faaff4148db8cda4068234f5d5110c60
SHA1 b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391
SHA256 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1
SHA512 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0

\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe

MD5 7365da47139d60ed7f1d62dea77c171a
SHA1 313fcb1fcbb739485cc19d615ef34bf831ce3e30
SHA256 ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1
SHA512 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543

memory/1172-67-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe

MD5 7365da47139d60ed7f1d62dea77c171a
SHA1 313fcb1fcbb739485cc19d615ef34bf831ce3e30
SHA256 ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1
SHA512 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543

\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe

MD5 7365da47139d60ed7f1d62dea77c171a
SHA1 313fcb1fcbb739485cc19d615ef34bf831ce3e30
SHA256 ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1
SHA512 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543

\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe

MD5 7365da47139d60ed7f1d62dea77c171a
SHA1 313fcb1fcbb739485cc19d615ef34bf831ce3e30
SHA256 ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1
SHA512 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543

C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe

MD5 7365da47139d60ed7f1d62dea77c171a
SHA1 313fcb1fcbb739485cc19d615ef34bf831ce3e30
SHA256 ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1
SHA512 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543

C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe

MD5 7365da47139d60ed7f1d62dea77c171a
SHA1 313fcb1fcbb739485cc19d615ef34bf831ce3e30
SHA256 ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1
SHA512 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543

memory/1292-71-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

MD5 7365da47139d60ed7f1d62dea77c171a
SHA1 313fcb1fcbb739485cc19d615ef34bf831ce3e30
SHA256 ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1
SHA512 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/1912-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\1\Information.txt

MD5 cc9b3f0f5a1d2c4045b118447d31b2d5
SHA1 1dfac38c130df965b1c5642db0c9481fb8a22a6f
SHA256 09144e91efe5489145988c90a97faaff176879a3a510ea2618e520437c4baff5
SHA512 9c13030ec9d157b2205b00f72bd02fdd2074e26840bc111d7ca53e79b62937e3824a4305f070251e37f8c30eadbd9d7c0b226fda283c83c2a01e36ab2cb91660

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\1\Screen.jpg

MD5 fbd94028aca4b7e82a93b0dfebae7fa9
SHA1 f5c8202d0201eda3e1744f83cd4ddad5d9c183be
SHA256 0f3e2a046349a353cf0debb01588201bc92ce2222c5d4318fdeb630958965137
SHA512 31483795ca8912d84cb6b2353db5a1e23029f98c1881001b7efc8693776d6a57efad6e19295e80ec035bf957241745c75ad0f880f5f5b0780ab43539e06c3c19

memory/1640-82-0x0000000000000000-mapping.dmp

memory/1276-83-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

MD5 7365da47139d60ed7f1d62dea77c171a
SHA1 313fcb1fcbb739485cc19d615ef34bf831ce3e30
SHA256 ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1
SHA512 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543

memory/872-86-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

MD5 7365da47139d60ed7f1d62dea77c171a
SHA1 313fcb1fcbb739485cc19d615ef34bf831ce3e30
SHA256 ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1
SHA512 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-20 17:20

Reported

2022-04-20 18:39

Platform

win10v2004-20220414-en

Max time kernel

98s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 448 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
PID 448 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
PID 448 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe
PID 448 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
PID 448 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
PID 448 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe
PID 2980 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 2980 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 2980 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe
PID 1660 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
PID 1660 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
PID 1660 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe
PID 1660 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Windows\SysWOW64\attrib.exe
PID 1660 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Windows\SysWOW64\attrib.exe
PID 1660 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe

"C:\Users\Admin\AppData\Local\Temp\0c24d7b169124753674e308d4517d2e754659df46660670ac9afff8a516dd3de.exe"

C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe

"C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe"

C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe

"C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\ENU_801FE97C5F89A74E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

Network

Country Destination Domain Proto
NL 52.109.88.36:443 tcp
US 52.242.97.97:443 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ipapi.co udp
US 172.67.69.226:443 ipapi.co tcp
RU 45.89.19.14:11928 api.telegram.org tcp
US 20.42.65.85:443 tcp
RU 45.89.19.14:11928 api.telegram.org tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.253.208.112:80 tcp
US 204.79.197.203:80 tcp
US 8.253.208.112:80 tcp

Files

memory/4788-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe

MD5 faaff4148db8cda4068234f5d5110c60
SHA1 b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391
SHA256 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1
SHA512 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0

memory/2980-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe

MD5 7365da47139d60ed7f1d62dea77c171a
SHA1 313fcb1fcbb739485cc19d615ef34bf831ce3e30
SHA256 ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1
SHA512 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543

C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\shellbag_analyzer_cleaner (3).exe

MD5 faaff4148db8cda4068234f5d5110c60
SHA1 b744ae0ee7f3cfeb762a4c9ea4b72f1f092fe391
SHA256 58304b1ed9a66d44938f1e04767d1219194693bc918750388f259b1d0d251dc1
SHA512 1956bad6e775b08fab06358225b5cb027ec3bcf35fa304c7e9dbcfcefe55b887a0dc95db24d6655eb299d6abb6740d64f36912683549c951d73836e4e63a18f0

C:\Users\Admin\AppData\Roaming\aCnnOzGiE2seYfQPO\Build.exe

MD5 7365da47139d60ed7f1d62dea77c171a
SHA1 313fcb1fcbb739485cc19d615ef34bf831ce3e30
SHA256 ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1
SHA512 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543

memory/1660-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

MD5 7365da47139d60ed7f1d62dea77c171a
SHA1 313fcb1fcbb739485cc19d615ef34bf831ce3e30
SHA256 ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1
SHA512 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/4008-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\1\Information.txt

MD5 4cc32b8b2cb18a7bd4065fe6d852b607
SHA1 d516e5edbebd428501bdfda94ed930c3c14ac362
SHA256 bd3324aa046f24fb381ced6e66549a23db24bff0d7afbbcaa95a390e4ae23273
SHA512 218a07fac3406bc542314871a0b52157fcde843528cacbda21dc9b833071090cee3e266b211fff0c44386a4e1f4e6ff88599578b7095d1832b2cb61f6c74d722

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\1\Screen.jpg

MD5 799110fbd98387f98797b83203ebf1e9
SHA1 74613b862df2c4691b5d02da2adc66f26aad9e8b
SHA256 38d5e9b5a3dd8149e737b54b967a574a0157b6d57cebd616982a0ddc5fc50d25
SHA512 f72380d5a0a688eadb75ac4ce4ee2bfc9e360cc95ed49fff8ad6584b010e87ae27a9476ca0297553f16dd6857815648954b0ecddb5aae95614f2ddff3f9a34ca

memory/3728-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..timezones.resources\KBDGRLND.exe

MD5 7365da47139d60ed7f1d62dea77c171a
SHA1 313fcb1fcbb739485cc19d615ef34bf831ce3e30
SHA256 ec14c3a309b77db9ce3ddeefdc9c76eca8ff06d6931cbc2a50728b1082d631c1
SHA512 5047f7d8dd2b70483c827165f25711f0228f9332781117e7b4a7c481424544a42f870d642904c36e6a116e22820ee15ad9f4e1c1d4545a8c02fba0b5489d3543