CryptoMiners Landscape in LATAM
CryptoMiners in LATAM
Since the emergence of Bitcoin in 2009, cryptocurrency mining has become a lucrative activity in the contemporary digital landscape. It offers investment opportunities and wealth creation on an unprecedented scale, fostering the use of dedicated tools known as CryptoMiners.
A CryptoMiner, also known as a coinminer, is a software used to mine cryptocurrencies taking advantage of the capabilities of the device on which they are mining.
This document aims to provide an overview of CryptoMiners in Latin America due to continued attacks. Since the beginning of 2023, the region has been affected by threat actors and cybercriminal groups such as 8220 Gang and Red BerryMiner, profiled by SCILabs in late 2023, which carry out cryptojacking attacks (also called malicious cryptocurrency mining), affecting organizations of all types in the industrial, services and telecommunications sectors, to mention a few.
How could a cryptominer attack affect organizations?
Cryptojacking attacks not only puts the security of corporate and personal information at risk but also significantly impacts the performance and lifespan of affected IT assets. Threat groups operating crypto-mining malware often exploit vulnerabilities in technology commonly used by all organizations, aiming to distribute cryptominers and integrate victim devices into Botnet networks such as Mirai or Tsunami. This can cause severe consequences on an organization’s infrastructure. Mirai, known for its DDoS attacks, can cause massive disruptions to services and systems. Additionally, this attack can be an initial access vector for more dangerous attacks such as ransomware, damaging reputation and causing financial losses to organizations.
Characteristics of cryptominer attacks
Although carrying out cryptomining activities is not inherently malicious, threat actors use malicious techniques to mine cryptocurrencies on other people’s devices and exploit their resources illicitly with a financial motivation. This activity is known as cryptojacking and converts to cryptoMiners in a threat.
Currently, there are three types of cryptojacking:
- In-Browser hijacking
- In-Host hijacking
- In-Memory hijacking
In-browser cryptojacking
This technique has been used since 2011 when the cryptomining trend began, and Bitcoin became popular; it resurged in 2017 with the appearance of CoinHive, one of that year’s most maliciously used legal crypto mining services.
This type of attack does not require user permissions and usually maintains persistence by hiding the browser windows that perform the mining.
The exploitation of the stolen resources, in this case, is carried out through a cryptomining script, generally written in JavaScript, which may be embedded in a site or web application, in malicious ads, on websites that allow the execution of third-party services for tracking tools or analytics services, in web extensions that can perform mining and through Man-in-the-Middle activities since, once the victim’s web traffic has been captured, it is possible to inject the cryptomining script within non-HTTPS traffic.
Although it is currently not one of the most common techniques for performing cryptojacking, it is still used to a lesser extent.
In-host cryptojacking
In this technique, threat actors use cryptominers to access the host’s resources, turning the infected device into a computer dedicated to mining cryptocurrencies without the victim’s knowledge.
Unlike the previous technique, a cryptominer must be installed on the host system. Hence, its delivery and installation method is through social engineering, vulnerability exploitation, or Drive-by-Download.
The first to act during a cryptojacking in-host infection is an external tool or intermediary malware, such as a script, a dropper, a worm, or a trojan that upon entering the system, is in charge and initiates the attack flow and whose tasks may include:
- Starts the download, decryption, or unpacking of the crypto miner.
- Prepares the victim equipment for mining. This implies recognizing the environment and equipment characteristics, mainly the processing power.
- Performs the elevation of privileges or administration of permissions necessary for executing the cryptominer.
- Eliminates tools and processes that may generate conflicts.
- Searches for and removes security software.
- Establishes persistence for the crypto miner.
- Configures and optimizes the processor for cryptoming activities.
- Runs the cryptominer (possibly in the background).
- Possibly establishes a communication channel with C2.
- Compromises other computers on the network.
Once the cryptominer is up and running, it initiates a connection to the threat actor’s mining pool using a web socket or an API. Through this pool, the cryptominer receives the operations needed to calculate a hash, and send its results back, which is why the cryptominer must be in constant communication with it. This feature can be handy in identifying if a device is compromised.
In-memory cryptojacking
This type of cryptojacking typically employs the same initial infection vector as In-host cryptojacking and delivers the payload through the same means. However, unlike In-host cryptojacking, the files are not maintained for the cryptominer’s execution. Instead, a fileless technique is used to avoid leaving evidence in the system making the cryptominer more challenging to detect and eliminate.
Once the operators successfully breach the victim’s computer, whether through vulnerability exploitation or intermediary malware, they inject the payload into a process that goes unnoticed by the user, such as a PowerShell process. This meticulous process, often involving the preparation of the equipment for mining, creation of persistence, downloading and execution of the necessary components for lateral movement and mining, and finally, the downloading and injection of the cryptominer into a process, demonstrates their advanced technical skills. The connection with the mining pool is then initiated, and the threat actor is contacted through a C2 channel.
Current landscape
Based on SCILabs telemetry, cryptojacking attacks are carried out by multiple threat actors, even by inexperienced operators or without extensive technical capabilities. However, two threat groups, Red BerryMiner and 8220 Gang, are of interest because, in addition to installing crypto miners, they deploy other types of malware, such as Botnets and even ransomware, as in the case of 8220 Gang.
In this post, we will not provide a detailed investigation of these threat groups, as SCILabs has already published information about them, and there are various public investigations where additional information can be found. We intend to provide information that raises awareness about the danger these types of threats can represent.
Main countries and sectors affected by cryptojacking attack
As cybersecurity professionals, IT administrators, and business leaders in Latin America, you must be aware of the potential impact of cryptojacking attacks on the main countries and sectors. Our telemetry shows that Mexico, Brazil, Argentina, Ecuador, Venezuela, Colombia, Peru, Bolivia, Chile, Paraguay, and the industrial, services, and telecommunications sectors, are particularly vulnerable.
Threat groups related to cryptojacking attacks.
As mentioned in this publication, according to SCILabs telemetry we will only provide a general context of the principal threat groups that affect Latin America.
The 8220 Gang is a long-standing threat group that exploits vulnerabilities in cloud servers to initiate an infection process in the network of victim organizations. The group then uses the infected devices for cryptocurrency mining activities. This threat group has been operating since 2017: a testament to its persistence and the seriousness of the threat it poses.
This group of threats can maintain command and control communication on the victim’s servers, which allows it to download any artifacts, such as ransomware threats, specifically campaigns related to the GranCrab ransomware family have been observed.
Among the principal vulnerabilities that this group of threats uses are the following:
# | Tecnology | Vulnerability | Description |
1 | Jboss | CVE-2017-12149 (CVSS:3.0 – 9.8 CRÍTICO) | The doFilter method in the HTTP Invoker’s ReadOnlyAccessFilter does not restrict the classes for which it performs deserialization, and therefore allows an attacker to execute arbitrary code via crafted serialized data. |
2 | Oracle WebLogic | CVE-2017-10271 (CVSS:3.0 – 7.5 ALTA | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). The supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in the takeover of Oracle WebLogic Server. |
3 | Apache CouchDB | CVE-2017-12635 (CVSS:3.0 – 9.8 CRÍTICO) | Due to differences in the Erlang-based JSON parser and the JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to send _users documents with duplicate keys for ‘roles’ used for access control within the database, including the special case role ‘_admin’, which denotes administrative users. |
4 | Apache CouchDB | CVE-2017-12636 (CVSS:3.0 – 7.2 ALTA) | CouchDB administrative users can configure the database server over HTTP(S). Some of the configuration options include paths for operating system-level binaries that CouchDB later launches. This allows an administrator user on Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and running scripts from the public Internet. |
5 | Drupal | CVE-2018-7600 (CVSS:3.0 – 9.8 CRÍTICO) | Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code due to an issue affecting multiple subsystems with configurations of common or default modules. |
6 | Apache Struts | CVE-2017-5638 (CVSS:3.0 – 10.0 CRÍTICO) | The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and generation of error messages during file upload attempts, which allows attackers to Remotes execute arbitrary commands through manipulated content. -Type, Content-Disposition, or Content-Length HTTP header, as exploited in March 2017 with a Content-Type header containing a #cmd= string. |
7 | Sonatype Nexus | CVE-2019-7238 (CVSS:3.0 – 9.8 CRÍTICO) | Sonatype Nexus Repository Manager previous to 3.15.0 has an incorrect control Access. |
8 | Atlassian Confluence | CVE-2019-3396 (CVSS:3.0 – 9.8 CRÍTICO) | The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the version fixed for 6.6.x), since version 6.7.0 before 6.12.3 (the version fixed for 6.12.x), since version 6.13.0 before 6.13. 3 (the fixed version for 6.13.x), and since 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution in a Confluence Server or Data Center instance via server-side template injection. |
9 | Atlassian Confluence | CVE-2022-26134 (CVSS:3.0 – 9.8 CRÍTICO) | In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0 before 7.15. 2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4 and from 7.18.0 before 7.18.1. |
10 | Redis | CVE-2022-0543 (CVSS:3.0 – 10.0 CRÍTICO) | Redis, a persistent key-value database, was found due to a packaging issue, to be prone to a Lua sandbox escape (Debian-specific), which could result in remote code execution. |
Additionally, the threat group mainly uses the following tools:
Red BerryMiner is a threat group that exploits vulnerabilities in servers exposed on different organizations’ Internet to initiate a malware infection process and use the infected devices for crypto mining activities. It shares infrastructure with the Mirai Botnet, and in its infection chain it installs the ShellBot malware families, also known as PerlBot, and predominantly, the XMRig cryptominer.
The following are some of the following vulnerabilities that this group uses:
# | Tecnology | Vulnerability | Description |
1 | Avaya Aura Device Services | CVE-2023-3722 (CVSS:3.0 – 9.8 CRÍTICO) | Operating system command injection vulnerability in the Avaya Aura Device Services web application could allow remote code execution as a user of the web server via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier. |
2 | ThinkPHP | CVE-2018-20062 (CVSS:3.0 – 9.8 CRÍTICO)
|
Allows remote attackers to execute arbitrary PHP code, via crafted use of the filter parameter. |
3 | Spring Shell | CVE-2022-22965 (CVSS:3.0 – 9.8 CRÍTICO) | A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general and there may be other ways to exploit it. |
Additionally, the threat group mainly uses the following tools:
Main CryptoMiner families observed in the Latin American region by SCILabs
The findings are based on a comprehensive analysis of our telemetry data and various reliable public sources, providing a clear picture of LATAM’s most prevalent cryptominer families.
XMRig is an open-source software designed for cryptocurrency mining, which makes it one of the most used tools as a cryptominer in cryptojacking attacks; this is possibly related to the versatility that allows operators to modify it when it is open-source. It is one of the most used to mine Monero, a cryptocurrency known for having untraceable transactions. The main features of this software are:
- Greater versatility for its distribution as it does not require additional tools to function.
- Due to the open sources, there are more variants of it.
- Multiplatform versatility (Windows, Linux, macOS and FreeBSD).
- Donates 5 percent of the revenue earned from mined coins to the wallet address of the code author, and once modified, it is passed on to the malware operators.
PwnRig, an XMRig-based CryptoMiner. In addition to those already mentioned for XMRig, other features are:
- It hides its configuration details.
- It uses a mining proxy.
It is a CryptoMiner with multiple variants used to mine Monero, which SCILabs observe on Linux servers. Its main features are:
- It is written in the Go programming language.
- Uses Google Sites to host web pages for distribution.
- As initial access, its operators carry out brute force attacks on SSH services exposed on the Internet, loading WebShells on vulnerable servers and exploiting the vulnerabilities:
- CVE-2022-22947: Spring Cloud Gateway RCE.
- CVE-2021-44228: Apache Log4j RCE.
- Runs as a background process.
- Ability to self-delete.
- Temporary persistence (they are invalidated if the infected computer is restarted) through tasks scheduled with Cron Jobs.
- It is installed in the /etc directory using random names (without any identified pattern), for example, /etc/2arw4t2w84ig4w9.00991.
- Ability to install XMRig.
Attack Flow Commonly Observed in CryptoMiners Attacks
Most common TTP observed in cryptojacking attacks aligned to the MITER ATT&CK®
Conclusión
Cryptojacking attacks, often underestimated, can have devastating consequences; as detailed in this publication, threat groups like 8220 Gang can exploit their access to an organization’s infrastructure to deploy ransomware. Similarly, cybercriminals such as Red BerryMiner can introduce additional malware like the Mirai Botnet and ShellBot while leveraging ‘living-off-the-land’ techniques to download more malicious artifacts and install backdoors and Reverse Shells.
This represents a critical risk for organizations because they may be exposed to data breaches, theft of all types of information, and impact from ransomware, affecting their reputation and causing economic losses. SCILabs considers that attacks with crypto miners will remain constant throughout the year, taking advantage of new vulnerabilities that provide access to infrastructure, which are increasingly affecting LATAM countries.
Given these circumstances, SCILabs considers it is essential that organizations are aware of the TTP (Techniques, Tactics, and Procedures) used by the operators of this type of malware and consider them in their security posture to reduce the risk of suffering from cryptojacking attacks.
Recomendations
- Avoid downloading and installing software from unofficial sites.
- In the case of emails, avoid infection through phishing emails:
- Verify the legitimacy of the sender of the emails received.
- Verify that the sender is consistent with the content of the email.
- Avoid opening suspicious links.
- Avoid opening or downloading suspicious files.
- Install ad blockers in your browser to block unwanted pop-ups, ADS, and banner ads on websites.
- Disable JavaScript in the browser to avoid loading malicious scripts.
- Monitor system status and performance on the organization’s endpoints and servers.
- Conduct hunting activities searching for unknown or suspicious processes, such as PowerShell processes, that consume large amounts of resources and are not started by any application used by the user or the organization.
- Detect and block unusual traffic within the network that may generate multiple requests, as these may be directed to mining pool addresses or related to cryptocurrencies.
- Carry out hunting activities in search of threats that have infected or are operating on the organization’s devices, such as Trojans, worms, bots, stealers, etc. This intermediary malware usually accompanies cryptominers.
- Carry out hunting activities to find elements that generate persistence, mainly in scheduled tasks or registry keys.
- If possible, use security tools with anomaly detection algorithms to detect patterns associated with cryptojacking attacks, such as decreased processing speed.
- Periodically perform offline backups of information considered critical or essential for the operation and continuity of the business.
- Keep all the organization’s computer equipment updated to the latest version of the operating system.
- Maintain all current applications using the most stable versions based on manufacturers’ recommendations.
- Apply critical patches to the systems or, failing that, implement a shielding system at the hypervisor level that allows the implementation of virtual patches that immediately mitigate the vulnerability without incurring the risk of altering or directly damaging the operating system and impacting the operation.
- Implement an application firewall (WAF) or if they already have one, evaluate its configuration according to the manufacturer’s best practices and apply them in the short term.
- Integrate security policies at all organizational levels that consider using EDR systems with high research capabilities, always keeping them updated and correctly configured under the best practices issued by manufacturers.
- Create stronger password policies and apply the principle of least privilege for all users within the organization. Consider disabling “admin” or “root” users and creating custom and limited roles for different types of system administrators according to their specific functions.
IoC
6A2B6C164972F13DA372407D7190B147D9CC3211D3768D5D69FD9F6FE1447D2B
8BEE95131AE47D9A5E3C8CCCCEAAAD7E5567EAC66AE7C0D875C9A57D3FC7ACEF
925431D9AD6DDE0970110C701B45D78BA2EF5806CD56EB8B2014EFC5BB73EE5B
93B53CD8B67D4D6C429170E1EFB530262D46F78E7E3D826B1F8A6EF22F521460
0135AAFC6A99A21D8BD2E890F91ADDF37A2702F0CAA8863708A90825C44C9FC6
96D486FE07D834C95414FC017B2E4A7348F32BA67CD250AD4DD545601BCCCE6E
60AD648C1E48AF06869573320BC25D824C10D141E4F919D1E45AA4992445DB85
E566C3E0027E3C9DA99C87A8C9E2EB9E796B157AFD8CF91369A651D26CFF2C14
56C1F6C904B9C65BEF9894603B92FCF9DF31314FB6DB70E6D7689BC215E185AC
6D49017CC391B1EFF941718861B39F650C24402F1ACE1C9C0DD8AAFA530EE4BF
FEB52B796B77F6DDFFF2B302C3DE5C9441D6D2562BE40F22240CBB8D19E10EDC
B73D9303561A31E6A668A3546BA85B841965FEA24F5989EFA7AABEAFAA6EA9BA
54634D8AF572B611848EF151A2E8D912725C75545AB04A275C8C795D720F48A5
8343E0C9B43DFFD8328BE4472B79D65DEDC8FDAFA1339042DB1E4FA8F394FA34
761898B174342A83C92C5A565019FA60BDD4022C251DD45BEA7C27FB9EBCF18A
62FE1F4CD53B005DF448CAA2AC5FE15127AE2EB527B218C928CD4849792771F5
D596C6208DBB7946BE48A637096FC34EEADD0585CCEC283C545439B6860CA822
0CF8534C58546D1C1359332B364AFF93DBC6EFEC12DA52518477E9A72D6DA3BB
B8350B82A06D8F627045961E6FFFEA1C8D61C78A427379BEC6BA0795FB5FB233
3D16B6639BA3995B14D4D54214DE7F03A99913AD27A30F48AE8F18E9401F1B5C
F5FC4D5AA45B19AEE0E03B845883EB5085ECE684F2A2B9819AD4FB12B398B6E6
43DE9C19040AC8B6B26773CD84C24CBB8DC1B6E15FC9A6F75CAEA8EC9077852A
FCED6082FC11FA16CA230D662183B77CF968DEBD836156A4BF9A393174C7C067
6432B6037BFC85CD57F65CAB446D8D68D17AFCB1DEB7F9ACF658096CFB86D6E0
5BB68239EED2989B9FF88E62277392BF6D918F0A190ECD1242F22D6AE1E050FB
8602DF7D01BE4F3DB26F29F3ACBC538E480FDAE5CAE498A473F142CB2CA7A07F
9D544236DD7543F53BD01BF3F75384642730969F0DB8ACE19D43CAA05243073F
924DFD425C1AF78D21B77A1001471EBCA9DBB9AB488DA961B96B972403F397F8
4D482E131DD8D0C8847CBA60DB394D774C377C7D86D9970AAC5C7B05AF19B284
D5E9D9CF5779A805EF0FBA844E79334A1D8D98DAD6F691D9F40BDFEFFD1EA493
6209FF7C794862CBFE550739A440A9C7E2B4A7F078F8667F5DAC9112072B9519
367A32551FC99C42ADE9E3CAEA382AA3DC4C5E868EA1A61AE6353F515B94DE2F
EF306A0DE129D0FCB919EF3F25BFB170A1E359047C4F3EC48E073C098658E9D0
B453A7400DC66318601DC923662B7C9F7D151BC1D159968914F3FEC81F7B4D58
F0F9D18CD9631A8CCFDC8DF13448C22AD35E5DFDDA58B1008687AB0E838F3206
56D0739A75AAE5D3D63A408F0DEA43B3B6D4A22F4E53130CD04A8E1B77CEC6D4
D00781A5D823DD2D3CC200609F3D67981D01FCCEC260BF37D41AC993F4E6C627
429BEBD585E8632786A9C2A85A7CF61ABE6D55B670FAC1194A0EE5659D11413E
AC2194E15DD3F4DF26E74F1A9B886461D5AACE50A32C1C53CF0DB23DB87FB19D
AFCA79570FDD9543776150A6F88EE0D3CF6084C710473211E2FB360D16C982AB
57236B2EC7F44A077945FDA56CE151953FF0A62E65B5611F56042E9EAD9A9FA6
067896678A537669DFA2F1A9B5EDB36BDE4960C1DF2CAD986F02BAA570195BE4
C3EAE12D34DDBD00E59D524B5B4B06D4C17D3ABC9144920899F5F0EB24E1F6F0
DC080CAEE6126106D8276A0B587AE9B37624A225C34F792B1C5D91FEAB134D8B
D6BBF6CE4D3B1AD5E109505C3C4BE65E0B063295500D88130BBED34298AA6D39
F1566A37A125474DC8C0F60AF00162CC526E614147612C5CFCCE707AFCCF038D
49D4592A26F5FEC7E5381F6DEDFFF33A8D2C9D72EA5BF4CA9352000E78EBC069
2E33F3718D259179F669C879A830BC8818BAB09AB6ECD6285DA39F9A2422BDB9
C7DE9799873B353F2FEC6A490ED1D4062340EDDDA623AFA0BA8798ACA7CED31D
1E70FE3CDBF8EB1AF6C1FC2380A8FF89A51791632EEA6425585F984D74254ED1
3498FBC888F9EF8C6146AB869B4D38340C209F2817DC4BBBF932E37D772D7B5B
1586100B165AC791ED60FF7B662E2FC2D502D4ABB6418CC1F7BF591C39C84130
hxxps[:]//sites[.]google[.]com/view/page501/2021
hxxps[:]//sites[.]google[.]com/view/2022luckyboy/2022
hxxps[:]//sites[.]google[.]com/view/outyes/2023
hxxps[:]//sites[.]google[.]com/view/maintest0
hxxps[:]//sites[.]google[.]com/view/myskfc/2025
pool.hashvault[.]pro[:]80
pool.hashvault[.]pro[:]443
gulf.moneroocean[.]stream[:]80
gulf.moneroocean[.]stream[:]10128
hxxp[:]//85[.]239[.]33[.]32/ruby
hxxp[:]//178[.]62[.]44[.]152/start[.]sh
hxxp[:]//45[.]81[.]243[.]128/start[.]sh
hxxp[:]//84[.]54[.]50[.]110[:]8080/tgehfbibxo4zte
hxxp[:]//84[.]54[.]50[.]110:8080/qkflhwje0s
hxxp[:]//84[.]54[.]50[.]110[:]8080/hhwxwqtwayydqo
hxxp[:]//84[.]54[.]50[.]110[:]8080/fghd73w
hxxp[:]//84[.]54[.]50[.]110[:]8080/cfdgizxbgg
hxxp[:]//84[.]54[.]50[.]110[:]8080/5vxezpfof5qg
hxxp[:]//45[.]90[.]161[.]122/bins/x86
hxxp[:]//45[.]81[.]243[.]128/xmrig-6[.]19[.]2-linux-static-x64[.]tar[.]gz
hxxp[:]//185[.]225[.]75[.]242/download/xmrig[.]x86_64
hxxp[:]//45[.]81[.]243[.]128/kill[.]sh
hxxp[:]//45[.]81[.]243[.]128/ssh[.]sh
hxxp[:]//download[.]asyncfox[.]xyz/download/xmrig[.]x86_64
WALLETS:
839ZRXKBUAJGTCIMADM61BDZRPWVVPT1CGKHXBVSEVRY1NQBALV9LJKETT6Y8WEESEB9HSZYFDDFO8EEJ3NMTXSZGDRKQUN
464ZBS9I68WL37NQS6C8VZCVAOTEWAJ72W7WM9PDAMQ2VPL2LYCTSBYR6ESPTE5KLTF7PHHH5GVN9DWT8DT5FUISQBQPSE5
83SQBMZS9EHLZXSJKT2HX3ZRY36ZCGMX5PRQASN1GJKETD6AUQ8RGGP63G67YPVMCABPPXYPHJIFJVSJ988PSUXJ6FDBRZK