Malware Analysis Report

2025-04-03 09:44

Sample ID 230502-mmpxqaaf57
Target c80864ec4f40c15a4589d19a1e6cd3ca.exe
SHA256 1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
Tags
amadey systembc persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc

Threat Level: Known bad

The file c80864ec4f40c15a4589d19a1e6cd3ca.exe was found to be: Known bad.

Malicious Activity Summary

amadey systembc persistence trojan

Amadey

SystemBC

Downloads MZ/PE file

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-02 10:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-02 10:35

Reported

2023-05-02 10:37

Platform

win7-20230220-en

Max time kernel

148s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe"

Signatures

Amadey

trojan amadey

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000020050\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\sc64.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021061\\sc64.dll, rundll" C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe
PID 1136 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe
PID 1136 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe
PID 1136 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe
PID 980 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 980 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 980 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 980 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1764 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1764 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1764 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1764 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1136 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Windows\SysWOW64\WerFault.exe
PID 1136 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Windows\SysWOW64\WerFault.exe
PID 1136 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Windows\SysWOW64\WerFault.exe
PID 1136 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Windows\SysWOW64\WerFault.exe
PID 1764 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1764 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1764 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1764 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1764 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1764 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1764 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1764 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1764 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1764 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1764 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1764 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1764 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1764 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 316 wrote to memory of 520 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 316 wrote to memory of 520 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 316 wrote to memory of 520 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 316 wrote to memory of 520 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1616 wrote to memory of 1240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1616 wrote to memory of 1240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1616 wrote to memory of 1240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1616 wrote to memory of 1240 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1616 wrote to memory of 360 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1616 wrote to memory of 360 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1616 wrote to memory of 360 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1616 wrote to memory of 360 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe

"C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe"

C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe

"C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe"

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1540

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

"C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll

C:\Windows\system32\taskeng.exe

taskeng.exe {D0BBD124-83AA-4680-9545-A4F647D737FE} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 nftday.art udp
US 172.67.151.248:443 nftday.art tcp
US 8.8.8.8:53 tadogem.com udp
US 172.67.183.249:80 tadogem.com tcp
US 172.67.151.248:443 nftday.art tcp
FI 65.21.119.52:4277 tcp

Files

memory/1136-54-0x0000000000DC0000-0x0000000000E54000-memory.dmp

memory/1136-55-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1136-56-0x00000000092E0000-0x0000000009320000-memory.dmp

\Users\Admin\AppData\Local\Temp\u2C5B5b.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

memory/980-62-0x0000000000300000-0x0000000000301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\430344531370

MD5 3fc68dc3ec5acbfd35646aa2644ae98e
SHA1 30056771d952b69cfdcd8fbd14d4528d6e0b5964
SHA256 1f3456dfeb1893bba52b6e088a0c9b807ab568a69fb4e33a56782c2aee9ce3ce
SHA512 f70eed1ce6da0e705c3e56dca70403e167aefadb6b3a68ad41979423bb0d220b01ef8ba04e39d379d031b544b0d90d625c1ee66f2f9dfc590c13c7b95d1f0228

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

memory/1136-106-0x00000000092E0000-0x0000000009320000-memory.dmp

\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

memory/1700-113-0x0000000000080000-0x00000000000C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

memory/1700-151-0x0000000006E90000-0x0000000006ED0000-memory.dmp

memory/1700-152-0x0000000006E90000-0x0000000006ED0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-02 10:35

Reported

2023-05-02 10:37

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe"

Signatures

Amadey

trojan amadey

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000020050\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sc64.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021061\\sc64.dll, rundll" C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3196 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe
PID 3196 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe
PID 3196 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe
PID 4344 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 4344 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 4344 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 4028 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4028 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4028 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4028 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 4028 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 4028 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 4028 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 4028 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 4028 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 3640 wrote to memory of 4440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3640 wrote to memory of 4440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe

"C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe"

C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe

"C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3196 -ip 3196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1848

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

"C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 nftday.art udp
US 172.67.151.248:443 nftday.art tcp
US 8.8.8.8:53 248.151.67.172.in-addr.arpa udp
US 8.8.8.8:53 84.150.43.20.in-addr.arpa udp
US 8.8.8.8:53 tadogem.com udp
US 172.67.183.249:80 tadogem.com tcp
US 172.67.183.249:80 tadogem.com tcp
US 172.67.151.248:443 nftday.art tcp
US 8.8.8.8:53 249.183.67.172.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
FI 65.21.119.52:4277 tcp
US 8.8.8.8:53 52.119.21.65.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 209.197.3.8:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/3196-133-0x0000000000280000-0x0000000000314000-memory.dmp

memory/3196-134-0x00000000026D0000-0x00000000026D1000-memory.dmp

memory/3196-135-0x0000000009250000-0x0000000009260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

memory/3544-181-0x0000000000A60000-0x0000000000AA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\443549032550

MD5 f9a17c8e93eb0838490e4c81a2d074a4
SHA1 5d0dabbc2a7b6a2d5fbe9ef6318f90827d8e17d1
SHA256 1e17ebce9ba3bb2a24b78d15f09141da98b7666aa7b31481595e9721e17a9e14
SHA512 7c04660b27dd35eceac2a9ab0f7b080802036a61fde403350b7be3a73938b935d1f4b22a4e0b10b2b6d1cb3014f4a9091540af991fd038581ecc4d3bb4950e62

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/3544-217-0x0000000009E00000-0x000000000A3A4000-memory.dmp

memory/3544-218-0x0000000005410000-0x00000000054A2000-memory.dmp

memory/3544-219-0x0000000009840000-0x0000000009850000-memory.dmp

memory/3544-220-0x0000000009840000-0x0000000009850000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57