Malware Analysis Report

2024-08-06 14:44

Sample ID 240701-el979swaqg
Target ec03c8da575fa5ee4745506b340968e6.bin
SHA256 6e9684d4b9c12a050ce73e4da9204e9b3db3cadca1ce03b8b4438dd19d36bd1d
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e9684d4b9c12a050ce73e4da9204e9b3db3cadca1ce03b8b4438dd19d36bd1d

Threat Level: Known bad

The file ec03c8da575fa5ee4745506b340968e6.bin was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

NanoCore

Executes dropped EXE

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-01 04:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-01 04:02

Reported

2024-07-01 04:05

Platform

win7-20231129-en

Max time kernel

126s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3024 set thread context of 2128 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 set thread context of 1664 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1860 set thread context of 2400 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3024 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 2308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 1648 wrote to memory of 2308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 1648 wrote to memory of 2308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 1648 wrote to memory of 2308 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 2308 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1552 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1552 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1552 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 1860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 1648 wrote to memory of 1860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 1648 wrote to memory of 1860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 1648 wrote to memory of 1860 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

Processes

C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe

"C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {5A91D7DD-D467-422A-AE41-95C5DA4DC8C4} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 munan.duckdns.org udp
US 8.8.4.4:53 munan.duckdns.org udp
US 18.210.161.224:3637 munan.duckdns.org tcp

Files

memory/3024-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

memory/3024-1-0x0000000001340000-0x0000000001390000-memory.dmp

memory/3024-2-0x0000000074BF0000-0x00000000752DE000-memory.dmp

memory/2128-3-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2128-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2128-15-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2128-13-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2128-7-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2128-5-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2128-4-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2128-11-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3024-16-0x0000000074BF0000-0x00000000752DE000-memory.dmp

memory/2128-20-0x0000000000A80000-0x0000000000A8A000-memory.dmp

memory/2128-21-0x0000000000A90000-0x0000000000A9C000-memory.dmp

memory/2128-22-0x0000000000AA0000-0x0000000000ABE000-memory.dmp

memory/2128-23-0x0000000000B10000-0x0000000000B1A000-memory.dmp

memory/2128-26-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

memory/2128-27-0x0000000000BD0000-0x0000000000BEA000-memory.dmp

memory/2128-28-0x0000000000C40000-0x0000000000C4E000-memory.dmp

memory/2128-29-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

memory/2128-30-0x0000000000D30000-0x0000000000D3C000-memory.dmp

memory/2128-31-0x0000000000D80000-0x0000000000D8E000-memory.dmp

memory/2128-32-0x0000000000D90000-0x0000000000DA4000-memory.dmp

memory/2128-33-0x0000000000E20000-0x0000000000E34000-memory.dmp

memory/2128-34-0x0000000000E30000-0x0000000000E3E000-memory.dmp

memory/2128-35-0x0000000002910000-0x000000000293E000-memory.dmp

memory/2128-36-0x0000000002980000-0x0000000002994000-memory.dmp

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

MD5 ec03c8da575fa5ee4745506b340968e6
SHA1 357374aa9b28d6571ebcf3b535b3cd8fe85eebba
SHA256 26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7
SHA512 2d01fa27ef375f77db7e3a896877db902ea52578aaa13aaec2aef3ce8a0199b1de56ca70602bac24f4fd2278ed5835e2c373c0626a05e95929deb93abb94137a

memory/2308-40-0x0000000000BB0000-0x0000000000C00000-memory.dmp

memory/1664-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-01 04:02

Reported

2024-07-01 04:05

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2516 set thread context of 1072 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5024 set thread context of 972 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 180 set thread context of 728 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3396 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3396 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5024 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5024 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5024 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5024 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5024 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5024 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5024 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5024 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5024 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 180 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 180 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 180 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 180 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 180 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 180 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 180 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 180 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 180 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 180 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 180 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 180 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 180 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 180 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 180 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 180 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 180 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 320 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 320 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe

"C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 munan.duckdns.org udp
US 8.8.4.4:53 munan.duckdns.org udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 munan.duckdns.org udp
US 8.8.8.8:53 munan.duckdns.org udp
US 8.8.4.4:53 munan.duckdns.org udp
US 8.8.8.8:53 munan.duckdns.org udp
US 8.8.8.8:53 munan.duckdns.org udp
US 8.8.4.4:53 munan.duckdns.org udp
US 8.8.8.8:53 munan.duckdns.org udp
US 8.8.8.8:53 munabc.duckdns.org udp
US 8.8.4.4:53 munabc.duckdns.org udp
US 8.8.8.8:53 munabc.duckdns.org udp
US 8.8.8.8:53 munabc.duckdns.org udp

Files

memory/2516-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

memory/2516-1-0x0000000000FC0000-0x0000000001010000-memory.dmp

memory/2516-3-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/2516-2-0x0000000005F80000-0x0000000006524000-memory.dmp

memory/1072-6-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1072-9-0x00000000051F0000-0x000000000528C000-memory.dmp

memory/1072-12-0x00000000050A0000-0x00000000050AA000-memory.dmp

memory/1072-8-0x00000000050B0000-0x0000000005142000-memory.dmp

memory/1072-16-0x00000000053C0000-0x00000000053DE000-memory.dmp

memory/1072-17-0x0000000005E70000-0x0000000005E7A000-memory.dmp

memory/1072-15-0x00000000051E0000-0x00000000051EC000-memory.dmp

memory/1072-14-0x00000000051D0000-0x00000000051DA000-memory.dmp

memory/2516-7-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1072-4-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1072-18-0x00000000746F0000-0x0000000074EA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

MD5 ec03c8da575fa5ee4745506b340968e6
SHA1 357374aa9b28d6571ebcf3b535b3cd8fe85eebba
SHA256 26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7
SHA512 2d01fa27ef375f77db7e3a896877db902ea52578aaa13aaec2aef3ce8a0199b1de56ca70602bac24f4fd2278ed5835e2c373c0626a05e95929deb93abb94137a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DDfiles.exe.log

MD5 03febbff58da1d3318c31657d89c8542
SHA1 c9e017bd9d0a4fe533795b227c855935d86c2092
SHA256 5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4
SHA512 3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 84e77a587d94307c0ac1357eb4d3d46f
SHA1 83cc900f9401f43d181207d64c5adba7a85edc1e
SHA256 e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512 aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691