Malware Analysis Report

2025-03-15 00:31

Sample ID 240603-2eqavacc47
Target 8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60
SHA256 8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60

Threat Level: Shows suspicious behavior

The file 8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 22:29

Reported

2024-06-03 22:32

Platform

win7-20231129-en

Max time kernel

126s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FEIQ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe\" 1" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ImageOle.dll C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\feiq\FeiqCfg.xml C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Control C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CurVer C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID\ = "ImageOle.GifAnimator.1" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\CLSID C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ImageOle.dll" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16} C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CurVer\ = "ImageOle.GifAnimator.1" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32\ = "C:\\Windows\\SysWow64\\ImageOle.dll" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ = "GifAnimator Class" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ = "IGifAnimator" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\ = "GifAnimator Class" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\ = "ImageOle 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\CLSID\ = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\Insertable C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ = "IGifAnimator" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CLSID C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Programmable C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\ = "GifAnimator Class" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Insertable C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16} C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CLSID\ = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID\ = "ImageOle.GifAnimator" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F} C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\ImageOle.dll, 102" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182} C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe

"C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe"

Network

Country Destination Domain Proto
N/A 255.255.255.255:2425 udp
N/A 10.127.0.73:2425 udp
US 8.8.8.8:53 feiqupgrade.blog.sohu.com udp
CN 60.28.220.246:80 feiqupgrade.blog.sohu.com tcp
US 8.8.8.8:53 lubentaofeiq.blog.sohu.com udp
CN 60.13.97.138:80 lubentaofeiq.blog.sohu.com tcp
CN 42.177.83.224:80 lubentaofeiq.blog.sohu.com tcp
CN 42.177.83.225:80 lubentaofeiq.blog.sohu.com tcp
CN 42.177.83.87:80 lubentaofeiq.blog.sohu.com tcp
CN 42.177.83.115:80 lubentaofeiq.blog.sohu.com tcp
US 8.8.8.8:53 www.feiq18.com udp
CN 180.97.238.45:80 www.feiq18.com tcp
CN 180.97.238.45:80 www.feiq18.com tcp
CN 180.97.238.45:80 www.feiq18.com tcp

Files

memory/2364-0-0x0000000000400000-0x0000000000730000-memory.dmp

\Windows\SysWOW64\ImageOle.dll

MD5 c653904916e99c2653bf3b339c734f05
SHA1 6cb3cde5b5f7ffd76b0de150feb15801f705dd57
SHA256 a11cd7f420a737e8127012c24dc3fbce1b2e6c6c3425f2028c6171a7e8eb7785
SHA512 d4aa6713140d2391ee56352dc350e892ffc905843e74f1cdc99b0ce1645ec1d1ba4e990a8ee847928aabd10de0488f035c5df5e005ec7048c4f07d88d9082e6b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 22:29

Reported

2024-06-03 22:32

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FEIQ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe\" 1" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ImageOle.dll C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\feiq\FeiqCfg.xml C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CLSID\ = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID\ = "ImageOle.GifAnimator" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\CLSID\ = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ = "GifAnimator Class" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID\ = "ImageOle.GifAnimator.1" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ = "IGifAnimator" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\ = "GifAnimator Class" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32\ = "C:\\Windows\\SysWow64\\ImageOle.dll" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Control C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Insertable C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\ImageOle.dll, 102" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\CLSID C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CurVer\ = "ImageOle.GifAnimator.1" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16} C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ = "IGifAnimator" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\ = "GifAnimator Class" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\Insertable C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ImageOle.dll" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16} C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\ = "ImageOle 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Programmable C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CurVer C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CLSID C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182} C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1 C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F} C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe

"C:\Users\Admin\AppData\Local\Temp\8b57a1d2bfca240ce684718b75d941f8ada7ead8b1b8e53b69d4ebdf25ff5c60.exe"

Network

Country Destination Domain Proto
N/A 255.255.255.255:2425 udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
N/A 10.127.0.241:2425 udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 feiqupgrade.blog.sohu.com udp
CN 60.13.97.138:80 feiqupgrade.blog.sohu.com tcp
US 8.8.8.8:53 lubentaofeiq.blog.sohu.com udp
CN 123.234.2.61:80 lubentaofeiq.blog.sohu.com tcp
CN 42.177.83.134:80 lubentaofeiq.blog.sohu.com tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
CN 42.177.83.115:80 lubentaofeiq.blog.sohu.com tcp
CN 112.84.131.219:80 lubentaofeiq.blog.sohu.com tcp
CN 60.28.220.246:80 lubentaofeiq.blog.sohu.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.feiq18.com udp
CN 180.97.238.45:80 www.feiq18.com tcp
CN 180.97.238.45:80 www.feiq18.com tcp
CN 180.97.238.45:80 www.feiq18.com tcp

Files

memory/3720-0-0x0000000000400000-0x0000000000730000-memory.dmp

C:\Windows\SysWOW64\ImageOle.dll

MD5 c653904916e99c2653bf3b339c734f05
SHA1 6cb3cde5b5f7ffd76b0de150feb15801f705dd57
SHA256 a11cd7f420a737e8127012c24dc3fbce1b2e6c6c3425f2028c6171a7e8eb7785
SHA512 d4aa6713140d2391ee56352dc350e892ffc905843e74f1cdc99b0ce1645ec1d1ba4e990a8ee847928aabd10de0488f035c5df5e005ec7048c4f07d88d9082e6b