Analysis
-
max time kernel
119s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2024 12:23
Static task
static1
Behavioral task
behavioral1
Sample
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Dokumentationsniveau/Stockings.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Dokumentationsniveau/Stockings.ps1
Resource
win10v2004-20241007-en
General
-
Target
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe
-
Size
902KB
-
MD5
04ef02931ad93c3c4376434c20f486f0
-
SHA1
652201adcb624d1142aa01d7bde4dfc8977c1ea5
-
SHA256
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072
-
SHA512
027685796daeee8a1bc38d57f5599ba9e62465f3aebddbe104bc3abd3b473f5ea1f9bb23486ac8688809d9fe5a176e9ec6e6a59ac568ef7458af0dbb6fa00a2c
-
SSDEEP
12288:p5e/L/uQGchtN0FxSb7nT3tCMipEPfDurlKRFP7Pytafm6wY8yujWX6zZmvj1Gp:ebu6bN0FUb7FiWfD6lm7Pytae6/B1Gp
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
Comercialplastico3. - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid Process 5048 powershell.exe 4252 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
msiexec.exemsiexec.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 13 IoCs
Processes:
msiexec.exemsiexec.exeflow pid Process 22 1648 msiexec.exe 24 1648 msiexec.exe 26 1648 msiexec.exe 28 1648 msiexec.exe 31 1648 msiexec.exe 36 1112 msiexec.exe 39 1112 msiexec.exe 42 1648 msiexec.exe 44 1648 msiexec.exe 51 1648 msiexec.exe 55 1112 msiexec.exe 60 1112 msiexec.exe 62 1112 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
msiexec.exemsiexec.exepid Process 1648 msiexec.exe 1112 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid Process 5048 powershell.exe 4252 powershell.exe 1648 msiexec.exe 1112 msiexec.exe -
Drops file in Windows directory 4 IoCs
Processes:
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exedescription ioc Process File opened for modification C:\Windows\resources\Nebengeschfter.ini 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe File opened for modification C:\Windows\resources\0409\gildes.lak 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe File opened for modification C:\Windows\Fonts\thyrididae.ini 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe File opened for modification C:\Windows\resources\0409\diaspidine.Inq 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exepowershell.exepowershell.exemsiexec.exemsiexec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid Process 5048 powershell.exe 5048 powershell.exe 4252 powershell.exe 4252 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 4252 powershell.exe 4252 powershell.exe 4252 powershell.exe 4252 powershell.exe 4252 powershell.exe 1648 msiexec.exe 1648 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exepowershell.exepid Process 5048 powershell.exe 4252 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exedescription pid Process Token: SeDebugPrivilege 5048 powershell.exe Token: SeDebugPrivilege 4252 powershell.exe Token: SeIncreaseQuotaPrivilege 5048 powershell.exe Token: SeSecurityPrivilege 5048 powershell.exe Token: SeTakeOwnershipPrivilege 5048 powershell.exe Token: SeLoadDriverPrivilege 5048 powershell.exe Token: SeSystemProfilePrivilege 5048 powershell.exe Token: SeSystemtimePrivilege 5048 powershell.exe Token: SeProfSingleProcessPrivilege 5048 powershell.exe Token: SeIncBasePriorityPrivilege 5048 powershell.exe Token: SeCreatePagefilePrivilege 5048 powershell.exe Token: SeBackupPrivilege 5048 powershell.exe Token: SeRestorePrivilege 5048 powershell.exe Token: SeShutdownPrivilege 5048 powershell.exe Token: SeDebugPrivilege 5048 powershell.exe Token: SeSystemEnvironmentPrivilege 5048 powershell.exe Token: SeRemoteShutdownPrivilege 5048 powershell.exe Token: SeUndockPrivilege 5048 powershell.exe Token: SeManageVolumePrivilege 5048 powershell.exe Token: 33 5048 powershell.exe Token: 34 5048 powershell.exe Token: 35 5048 powershell.exe Token: 36 5048 powershell.exe Token: SeIncreaseQuotaPrivilege 4252 powershell.exe Token: SeSecurityPrivilege 4252 powershell.exe Token: SeTakeOwnershipPrivilege 4252 powershell.exe Token: SeLoadDriverPrivilege 4252 powershell.exe Token: SeSystemProfilePrivilege 4252 powershell.exe Token: SeSystemtimePrivilege 4252 powershell.exe Token: SeProfSingleProcessPrivilege 4252 powershell.exe Token: SeIncBasePriorityPrivilege 4252 powershell.exe Token: SeCreatePagefilePrivilege 4252 powershell.exe Token: SeBackupPrivilege 4252 powershell.exe Token: SeRestorePrivilege 4252 powershell.exe Token: SeShutdownPrivilege 4252 powershell.exe Token: SeDebugPrivilege 4252 powershell.exe Token: SeSystemEnvironmentPrivilege 4252 powershell.exe Token: SeRemoteShutdownPrivilege 4252 powershell.exe Token: SeUndockPrivilege 4252 powershell.exe Token: SeManageVolumePrivilege 4252 powershell.exe Token: 33 4252 powershell.exe Token: 34 4252 powershell.exe Token: 35 4252 powershell.exe Token: 36 4252 powershell.exe Token: SeDebugPrivilege 1648 msiexec.exe Token: SeDebugPrivilege 1112 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exepowershell.exepowershell.exedescription pid Process procid_target PID 1404 wrote to memory of 5048 1404 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 86 PID 1404 wrote to memory of 5048 1404 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 86 PID 1404 wrote to memory of 5048 1404 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 86 PID 1404 wrote to memory of 4252 1404 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 89 PID 1404 wrote to memory of 4252 1404 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 89 PID 1404 wrote to memory of 4252 1404 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 89 PID 5048 wrote to memory of 1648 5048 powershell.exe 98 PID 5048 wrote to memory of 1648 5048 powershell.exe 98 PID 5048 wrote to memory of 1648 5048 powershell.exe 98 PID 5048 wrote to memory of 1648 5048 powershell.exe 98 PID 4252 wrote to memory of 1112 4252 powershell.exe 99 PID 4252 wrote to memory of 1112 4252 powershell.exe 99 PID 4252 wrote to memory of 1112 4252 powershell.exe 99 PID 4252 wrote to memory of 1112 4252 powershell.exe 99 -
outlook_office_path 1 IoCs
Processes:
msiexec.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
Processes:
msiexec.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe"C:\Users\Admin\AppData\Local\Temp\7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Momentaneously=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Dokumentationsniveau\Stockings.Cys';$Nontolerance95=$Momentaneously.SubString(3409,3);.$Nontolerance95($Momentaneously)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Momentaneously=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Dokumentationsniveau\Stockings.Cys';$Nontolerance95=$Momentaneously.SubString(3409,3);.$Nontolerance95($Momentaneously)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1112
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD55060c037573e8c49d2b974402dbb036f
SHA10fbc98aef6faab88fd16a642f48f7470f78ca50a
SHA256b25254fb513c8875b550f9c3d0955a2a9d59868efc075872eb4c8d378271c4fc
SHA512f984db7055f57209580e018dfd7c7558ea6480f3e50ca2079fca5377425cbf52b085355fda5fcbad9e7c1581e13445124c04ed65c0978e3a8201e15521104023
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_CC847C1C687BCB4C6B5074DF051D733B
Filesize471B
MD585838d5f34f49465643c3b88b31084b2
SHA190394723146d8e01ce13211c66797e06cb5d14f4
SHA2560c207ef93936f6ad3028086c21cd68e8d750393978119129680d792c596998d6
SHA5120a5fcf4f95028191b29516b676d7a04e09246344fe85892a0196ff431e6ccba037a5b1f504778f557d45f6b33056dc92bff38113f7a5b0eb250a7957cebcb76c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7
Filesize472B
MD5ff0954ade962b7cde97c7d480974fb19
SHA1d68f3eccd23c0c92edc5195105e7a949b625c8d9
SHA25671ed01c9358af7fa0b39937ad31a4fab9b3719ecfcbd131ac0037ce6d14b003c
SHA5123509f70a5decba14b6253f726e6f860e9d899f7ea3bd4586063f87f0823fb2e59225319425ab538a199bdaa781148a8b9ca307e9a0f30d91dea560a27cf25dd7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD5c6b99b9f0efe216cd1e29a9770a99c1f
SHA1b1703da79d491ce48336edb48ac47395a24f2e76
SHA25604aad4cfa071d176479fda85ee5056619b93edcdfd5be9322c20af29f08ed5b9
SHA512e0e0fe9953feaebc6913085cfed4f6cc6866a3bff63e5f31b602f771f1c78728c6687004ab6b669f9a79e7fe7ab827acd8f1d6fb8435c38beea686723ef92f15
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5e9362d7338b1fe68a8f88fbd706ed2a4
SHA18720f50abada01066e2d2e954e8f9913069f3258
SHA256f2b6d75397734a29e2be0c9cfff560272f0b0a8069d5beb2e7c74838f68600ac
SHA51252cc5e10d08263c67d6c3df4420e45a30e05de82005293e470c249f4484a2901b0ad479b3dc41f5bf518a666d706cd06011e12f0c7656fd60ef4b8a7dcacf218
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_CC847C1C687BCB4C6B5074DF051D733B
Filesize402B
MD5e11ba4abe6c5270980b0265f4f590efe
SHA10cb547b733d60e5c418d6647d6215287013a81af
SHA2564c862c7c6c595b595eff57802b8b9f3f92b9135bf325994ac614636f63c4d69c
SHA512b1c78d0f3c030a31d549c205cbbbdd870245fef9e6e3b7c92e9a9f272e0762b4cc6b8745c6c47c9621f21de301490d32dd578d6d7da0f31c6a52028cafe17cad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7
Filesize398B
MD58868ea395b63a34dec48a8f76e5cfe9b
SHA1eb1eeda17e0e079fae5a4964709a7fa531de0abf
SHA25664d6d794cc0d80f7f5d2506e1d7d75aab7c9e346e6050e3f73073fca3bd41f9b
SHA512c2ca7c9b3ef090b7649de3e40a48abf882e35d128bc6b7c4cf7232b00561214e5af34437031b1a778ce8f1a65f9cf2dc568d8f065475be62cfc067c48de56558
-
Filesize
775B
MD5fb241d07e8b3558780b49a931067493f
SHA1ed95b20fead530b5877817a20a8b629cd25f95b5
SHA25662ad1d76ff6fd74fb79518f040a9f3b8823bb2d02c59b99d0e26a1f186c6e298
SHA512a848644033ea3b2066de5847b1201ee6b766ea7405ba1adc7565c8e4dacc26513a4564b6d65850fe4bd49c84391bc5a5241b8603fa56cfb72352ac06dd621c8c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Dokumentationsniveau\Stockings.Cys
Filesize54KB
MD56bacab132c443a2683b2d0de8cc9b00a
SHA1fb935821154d82a76d41876899bb2a608b13647b
SHA25696583ae3cc6a5dfdebf1422de15fde533d7fda45f63aa36a10de9103db1860fe
SHA512ecc8c0d080115eb41ccae723bf86a7e6a25ffa73d5f0e632dddd650d0fa4a6b7219a5bee09429f58f2418552b4102d8b28f8bd769c3434fdf14a4126497bb2b1
-
Filesize
310KB
MD5978f59a1f10ab98b598eb3bb6eef0add
SHA15664a52766c2d35aa4b327040721489b14294769
SHA25670a02024cbde31d7be2f3a1e30f52b74f7ab43d9a3cb7db7cb8c5580d29a0b8c
SHA5126303dbef7a9d381fb43b63a00d73cf5f27dbf5c09395598d996829c66802a1149f1743bfabc8be3f3277b36d85f6ea8086f96c63181dfdfbc643cc9abe885e1d
-
Filesize
32B
MD553898e643bd3e0ca22a462325ad62da4
SHA1e0f08a75fa5219f39e49c1b9f361119905da7d02
SHA256b947991000aea669ebfeadfb12de45121d46ad3dfd02296f373f9bf8ce4f1aff
SHA512aa17b99a93a04f7bbbb92f34c15921da80e20592a39b3921f1d3cc59fae55f66196b2be4f56716846daff041253cb63d7e373b84234d451181c87f1d097fe8ca