Malware Analysis Report

2024-09-23 04:20

Sample ID 240620-kq9eesydph
Target 0478bbd07527cc07911a77377a09cdac_JaffaCakes118
SHA256 4c145cbe75b48f1dee957d833654be2e2519ec52a78c39e298d153557c2a8eb8
Tags
metasploit backdoor evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c145cbe75b48f1dee957d833654be2e2519ec52a78c39e298d153557c2a8eb8

Threat Level: Known bad

The file 0478bbd07527cc07911a77377a09cdac_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion trojan

MetaSploit

Modifies security service

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 08:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 08:49

Reported

2024-06-20 08:52

Platform

win7-20240611-en

Max time kernel

137s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\Temp\25565.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\Temp\25565.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe C:\Windows\Temp\25565.exe
PID 2208 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe C:\Windows\Temp\25565.exe
PID 2208 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe C:\Windows\Temp\25565.exe
PID 2208 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe C:\Windows\Temp\25565.exe
PID 2052 wrote to memory of 2956 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2956 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2956 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2956 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2956 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2956 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2956 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2052 wrote to memory of 1496 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\zonealarm.exe
PID 2052 wrote to memory of 1496 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\zonealarm.exe
PID 2052 wrote to memory of 1496 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\zonealarm.exe
PID 2052 wrote to memory of 1496 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1496 wrote to memory of 2380 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2380 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2380 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2380 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1964 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1496 wrote to memory of 1964 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1496 wrote to memory of 1964 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1496 wrote to memory of 1964 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1964 wrote to memory of 1556 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1556 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1556 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1556 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1556 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1556 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1556 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1964 wrote to memory of 1352 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1964 wrote to memory of 1352 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1964 wrote to memory of 1352 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1964 wrote to memory of 1352 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1352 wrote to memory of 1276 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 1276 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 1276 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 1276 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1276 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1276 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1276 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1352 wrote to memory of 2516 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1352 wrote to memory of 2516 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1352 wrote to memory of 2516 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1352 wrote to memory of 2516 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 2516 wrote to memory of 2488 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2488 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2488 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2488 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2488 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2488 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2488 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2516 wrote to memory of 2084 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 2516 wrote to memory of 2084 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 2516 wrote to memory of 2084 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 2516 wrote to memory of 2084 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 2084 wrote to memory of 2080 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2080 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2080 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2080 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe"

C:\Windows\Temp\25565.exe

C:\Windows\Temp\25565.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 504 "C:\Windows\Temp\25565.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 536 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 540 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 544 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 548 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 552 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 556 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 532 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 564 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 528 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

C:\Windows\Temp\25565.exe

MD5 dd18a6628a119b8695cef08da6c10b48
SHA1 d1f6c322aede47f1b13bdaef4a89ba4e477ef0fc
SHA256 cac97e2a05108c09b0387b6ce6ee5e4824a898e76aea6ae3535500eabe3bfe09
SHA512 fa191bb38c2de3cbc17670e1ead306a4aa1eecc015444509283c858465cf6ed8fdac39620ac8c32bfaf1878a13f3475db57e86644beb4920e2227cb2622e8f23

C:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c93c561465db53bf9a99759de9d25f07
SHA1 5386934828e2c2589bfe394ac1f03ffbfba93bfa
SHA256 32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851
SHA512 bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 584f47a0068747b3295751a0d591f4ee
SHA1 7886a90e507c56d3a6105ecdfd9ff77939afa56f
SHA256 927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5
SHA512 ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5088b4be1b90717121e76c1fc33c033a
SHA1 090676b012c30e6b0d6493ca1e9a31f3093cad6f
SHA256 d1d8c8ac4136082ac60938e8148c43d81fa91a124eccf34048e629d22daeef3a
SHA512 0cac2dcf138b1a66f857a54c92afe467ef7544655cd1c4aec3b4084c92c9186d9ba10e0e74a54a6e43e676068d3747f668f7286d44fcefce7ee4d385a3a96962

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 4117e5a9c995bab9cd3bce3fc2b99a46
SHA1 80144ccbad81c2efb1df64e13d3d5f59ca4486da
SHA256 37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292
SHA512 bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f31b2aa720a1c523c1e36a40ef21ee0d
SHA1 9c8089896c55e6e6a9cca99b1b98c544723d314e
SHA256 cea90761ea6ef6fb8ac98484b5720392534a9774e884c3e343ae29559aa0a716
SHA512 a679ce1192e15cd9b8dd4a3d7ecf85707ec23fa944c020b226172497c0b5600460558cfa9304ddf2c582a95e0fcd7f1b26004c8fba0ed9afcddc6ded770c85bb

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 558ce6da965ba1758d112b22e15aa5a2
SHA1 a365542609e4d1dc46be62928b08612fcabe2ede
SHA256 c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb
SHA512 37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 47985593a44ee38c64665b04cbd4b84c
SHA1 84900c2b2e116a7b744730733f63f2a38b4eb76e
SHA256 4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70
SHA512 abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 ffbb389d817acf25cc38799c239d512c
SHA1 8b4854ed9e257c3da9ec11d0f145805c6ae6193f
SHA256 f3aec599ccf14f9ee446772c26b24628ba08698be4dc66b5b54acd37d26b8e39
SHA512 382e043195d74ed0e0978dcac0db8bc962bc41f2cbd1a8a80c1a5a54cb8831b5e63a74bb3f69ccd9e241a47c1a79fcc7e7dad71696bf957a349a0f7e62247931

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 bf7ee07851e04b2a0dbe554db62dc3aa
SHA1 cad155b66053cd7ce2b969a0eb20a8f4812b1f46
SHA256 13dc8dc70b7bb240f6f4cf6be5ff0ec55c606267a328bb9c9e34e5fa70cce0d9
SHA512 9ed79305c81287cf01d0138d87c6ec981b5bdd9195c56f8def4c74fdbc9b4816661d084fc1314f99b40102945b61d05121f4eaadec6403d4295a80847b797bc4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 08:49

Reported

2024-06-20 08:52

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\Temp\25565.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\Temp\25565.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File opened for modification C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A
File created C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe C:\Windows\Temp\25565.exe
PID 2468 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe C:\Windows\Temp\25565.exe
PID 2468 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe C:\Windows\Temp\25565.exe
PID 736 wrote to memory of 4672 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\cmd.exe
PID 736 wrote to memory of 4672 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\cmd.exe
PID 736 wrote to memory of 4672 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4672 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4672 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 736 wrote to memory of 1664 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\zonealarm.exe
PID 736 wrote to memory of 1664 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\zonealarm.exe
PID 736 wrote to memory of 1664 N/A C:\Windows\Temp\25565.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1664 wrote to memory of 4644 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 4644 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 4644 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4644 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4644 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1664 wrote to memory of 3912 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1664 wrote to memory of 3912 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1664 wrote to memory of 3912 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 3912 wrote to memory of 212 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 212 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 212 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 212 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 212 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3912 wrote to memory of 1696 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 3912 wrote to memory of 1696 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 3912 wrote to memory of 1696 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1696 wrote to memory of 4720 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 4720 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 4720 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4720 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4720 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1696 wrote to memory of 4612 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1696 wrote to memory of 4612 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 1696 wrote to memory of 4612 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 4612 wrote to memory of 4620 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4620 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4620 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4620 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4620 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4612 wrote to memory of 2020 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 4612 wrote to memory of 2020 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 4612 wrote to memory of 2020 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 2020 wrote to memory of 4084 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4084 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4084 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4084 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4084 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2020 wrote to memory of 3152 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 2020 wrote to memory of 3152 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 2020 wrote to memory of 3152 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe
PID 3152 wrote to memory of 3816 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 3152 wrote to memory of 3816 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 3152 wrote to memory of 3816 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\cmd.exe
PID 3816 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3816 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3816 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3152 wrote to memory of 4124 N/A C:\Windows\SysWOW64\zonealarm.exe C:\Windows\SysWOW64\zonealarm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe"

C:\Windows\Temp\25565.exe

C:\Windows\Temp\25565.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 1168 "C:\Windows\Temp\25565.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 1164 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 1136 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3900 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 1140 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 1148 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 1144 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 1152 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 1156 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 1172 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\zonealarm.exe

C:\Windows\system32\zonealarm.exe 1116 "C:\Windows\SysWOW64\zonealarm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 106.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

C:\Windows\Temp\25565.exe

MD5 dd18a6628a119b8695cef08da6c10b48
SHA1 d1f6c322aede47f1b13bdaef4a89ba4e477ef0fc
SHA256 cac97e2a05108c09b0387b6ce6ee5e4824a898e76aea6ae3535500eabe3bfe09
SHA512 fa191bb38c2de3cbc17670e1ead306a4aa1eecc015444509283c858465cf6ed8fdac39620ac8c32bfaf1878a13f3475db57e86644beb4920e2227cb2622e8f23

\??\c:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5a466127fedf6dbcd99adc917bd74581
SHA1 a2e60b101c8789b59360d95a64ec07d0723c4d38
SHA256 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84
SHA512 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6b0182442d6e09100c34904ae6d8ee0c
SHA1 6255e65587505629521ea048a4e40cc48b512f2c
SHA256 cb34af7065e6c95f33fee397991045dae5dfae9d510660e6981ee6263542f9a4
SHA512 64395a0c6fce50a64a2067522b798f9b27c577da96e8d68f830a075ba833f1d644af27a9c6fc941ebb3d79999ac31576763378c9997a5b38eb5fdf075918eb46

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f708dcfd087b5b3763678cfb8d63735e
SHA1 a38fa7fa516c1402762425176ff1b607db36c752
SHA256 abf4c5f7dbed40d58dc982256535a56128f86d5eaf163d634037ae2b61027a10
SHA512 fa0e84032b88e19fc67c5be846983cf89c8ba021351a0aa9cab0162ea27a3933dade0b78146b2230b0c57f218b18da52a5ce1d04b6f9746b21e4285e2540049c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d085cde42c14e8ee2a5e8870d08aee42
SHA1 c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256 a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512 de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 67a0c98a371995d5434cb9788ee1c42f
SHA1 7171d3dca52f038ca9d9e8b13f356462dbc8f3cc
SHA256 2ac5bd7466724458c6f36bbbe6be697bfbc95d3b8f8ad486b83d595bd295dbc3
SHA512 f5b31a9e68044db25853f9a158dd4ff1da717beb5802dd11a6d3b705b5bf065304c98df3c81c8487e922d4f94690ecfb2662077bffb50cba036bcd8e50935191

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c6b0028a6f5508ef564d624eda0e72bc
SHA1 18901c9856a9af672c2e27383c15d2da41f27b6b
SHA256 b41f477ecd348b1c3e12ef410d67b712627ed0696769c2c8cc2f087d02121d06
SHA512 5d5f6fb437767096562f2ab9aac2cb75611afcc090b0a65ea63dfbadb3c4a73a3d45bbe139e43a7beea889370c76ac2eb2aa0fdffa92b69cfe47dd1ffbf10a71

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e427a32326a6a806e7b7b4fdbbe0ed4c
SHA1 b10626953332aeb7c524f2a29f47ca8b0bee38b1
SHA256 b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839
SHA512 6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8c6aa92ac8ffdfb7a0fb3dafd14d65f1
SHA1 cac3992d696a99a5dec2ab1c824c816117414b16
SHA256 dc98a84d679d0ba1e36e3142000fa9fd7c5cd4606e07cbcb33f12c98bc1510fa
SHA512 f17a7cbfc11ce2a258aee2857720dcc72ddcfd17ebe9c9b1b04bedb52835c2b35ca4bb649fd5ef3d7ef3f9585f87ef321efec52cb7524be3b83a919999c4900c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5da7efcc8d0fcdf2bad7890c3f8a27ca
SHA1 681788d5a3044eee8426d431bd786375cd32bf13
SHA256 7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8
SHA512 6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1c6131354c6987300ea512b765475b82
SHA1 2ad74e27ee9080f65d1b2b2e537f73d8f6b59f53
SHA256 3a16ce0b62d9b7bc6832082d30e37163bbde0eddcffe9b09f20fc118b1e0d640
SHA512 b1274a40e10dea26834d3839a4c64a593252640a8a55bcbf642b661f1711451ea81ca712cc98d0c0b9132b4aaf5c8aaac6cc974fc8cbe0eed6ffc13d1b01db68

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 872656500ddac1ddd91d10aba3a8df96
SHA1 ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc
SHA256 d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8
SHA512 e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a5d4cddfecf34e5391a7a3df62312327
SHA1 04a3c708bab0c15b6746cf9dbf41a71c917a98b9
SHA256 8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a
SHA512 48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6bf876cd9994f0d41be4eca36d22c42a
SHA1 50cda4b940e6ba730ce59000cfc59e6c4d7fdc79
SHA256 ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a
SHA512 605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 895301bce84d6fe707b5cfd50f1f9f97
SHA1 50a012f59655621768f624c4571654145663c042
SHA256 b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4
SHA512 a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c1e5f93e2bee9ca33872764d8889de23
SHA1 167f65adfc34a0e47cb7de92cc5958ee8905796a
SHA256 8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a
SHA512 482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 bf7ee07851e04b2a0dbe554db62dc3aa
SHA1 cad155b66053cd7ce2b969a0eb20a8f4812b1f46
SHA256 13dc8dc70b7bb240f6f4cf6be5ff0ec55c606267a328bb9c9e34e5fa70cce0d9
SHA512 9ed79305c81287cf01d0138d87c6ec981b5bdd9195c56f8def4c74fdbc9b4816661d084fc1314f99b40102945b61d05121f4eaadec6403d4295a80847b797bc4

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 ffbb389d817acf25cc38799c239d512c
SHA1 8b4854ed9e257c3da9ec11d0f145805c6ae6193f
SHA256 f3aec599ccf14f9ee446772c26b24628ba08698be4dc66b5b54acd37d26b8e39
SHA512 382e043195d74ed0e0978dcac0db8bc962bc41f2cbd1a8a80c1a5a54cb8831b5e63a74bb3f69ccd9e241a47c1a79fcc7e7dad71696bf957a349a0f7e62247931

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c93c561465db53bf9a99759de9d25f07
SHA1 5386934828e2c2589bfe394ac1f03ffbfba93bfa
SHA256 32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851
SHA512 bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 3bd23392c6fcc866c4561388c1dc72ac
SHA1 c4b1462473f1d97fed434014532ea344b8fc05c1
SHA256 696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43
SHA512 15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f31b2aa720a1c523c1e36a40ef21ee0d
SHA1 9c8089896c55e6e6a9cca99b1b98c544723d314e
SHA256 cea90761ea6ef6fb8ac98484b5720392534a9774e884c3e343ae29559aa0a716
SHA512 a679ce1192e15cd9b8dd4a3d7ecf85707ec23fa944c020b226172497c0b5600460558cfa9304ddf2c582a95e0fcd7f1b26004c8fba0ed9afcddc6ded770c85bb

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 47985593a44ee38c64665b04cbd4b84c
SHA1 84900c2b2e116a7b744730733f63f2a38b4eb76e
SHA256 4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70
SHA512 abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e1df6d58e6c905e4628df434384b3c9
SHA1 e67dd641da70aa9654ed24b19ed06a3eb8c0db43
SHA256 25bb4f644e47b4b64b0052ec7edfd4c27f370d07ef884078fea685f30b9c1bb0
SHA512 93c9f24dc530e08c85776955c200be468d099d8f1d2efe5e20cbb3a1d803fe23e0ba9b589df2498832082a283d79f6f1053a26d15f49e31a0da395ecc7225ad3

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 4be01c629881eddccb675ba267a66899
SHA1 23324e7814bcd157b27e810f4c786b0c39bfc9b1
SHA256 39c14522925e5e55bf1eefcd5beb8b7aae687158163082aac7ef5690c3524a30
SHA512 7c3063badaa57e3a39eea5d87e6bdbeec00793f9afd2bea52d3aa354e0bbd83e2a63966438fe7305f29a0ee6f45cb77d4613fe2d3b4f6719e16860deae764d55

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 908860a865f8ed2e14085e35256578dd
SHA1 7ff5ee35cc7e96a661848eb95a70d0b8d2d78603
SHA256 d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f
SHA512 a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 748bce4dacebbbd388af154a1df22078
SHA1 0eeeb108678f819cd437d53b927feedf36aabc64
SHA256 1585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a
SHA512 d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f1cbbc2ce0d93c45a92edcc86780e9f0
SHA1 d893306caae2584cdeba4c80c3bfe18548fa227a
SHA256 6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7
SHA512 b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 b9dc88ed785d13aaeae9626d7a26a6a0
SHA1 ab67e1c5ca09589b93c06ad0edc4b5a18109ec1e
SHA256 9f1cba2944ed1a547847aa72ba5c759c55da7466796389f9a0f4fad69926e6fc
SHA512 df6380a3e5565ff2bc66d7589af7bc3dcfa2598212c95765d070765341bba446a5a5d6206b50d860f6375c437622deb95a066440145a1b7917aee6dcef207b91

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 0a839c0e3eb1ed25e6211159e43f4df1
SHA1 a227a9322f58b8f40b2f6f326dca58145f599587
SHA256 717a2b81d076586548a0387c97d2dc31337a03763c6e7acb642c3e46ec94d6f0
SHA512 bd2b99fb43ccd1676f69752c1a295d1da0db2cb0310c8b097b4b5b91d76cff12b433f47af02b5f7d0dd5f8f16624b0c20294eebf5c6a7959b2b5d6fe2b34e508

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f5fa5178657d29a36c5dc4ac9445cbdc
SHA1 4be1a87a89715d24d52b23c59006f9cb74437ba0
SHA256 f5df5a0913b98b4c5ef35c76ba8c7601adb2698300bef0a47f23845a95942114
SHA512 54272b6eaead06588ac6605a5d995c928f2270c2bccb18891f83dc5cae98eb2c88a98b49bd553f6305659cbf51c36842840dd98fa0b44a3b693de8c7af1f6b6f

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8a0897226da780b90c11da0756b361f1
SHA1 67f813e8733ad75a2147c59cca102a60274daeab
SHA256 115ff7b8bbe33e1325a2b03fb279281b79b2b9c4c0d6147c049c99da39867bee
SHA512 55e0e0791fb8e76fb67511ef2bfe1bdb934c857a5a555f9c72dd063250c18b17c57ff9f220c0d3cdd219828d87f5c08bfe5e198476c9d38119c4cfb099b99642

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a13ff758fc4326eaa44582bc9700aead
SHA1 a4927b4a3b84526c5c42a077ade4652ab308f83f
SHA256 c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588
SHA512 86c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f82bc8865c1f6bf7125563479421f95c
SHA1 65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d
SHA256 f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6
SHA512 00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1b2949b211ab497b739b1daf37cd4101
SHA1 12cad1063d28129ddd89e80acc2940f8dfbbaab3
SHA256 3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c
SHA512 a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9fa547ff360b09f7e093593af0b5a13b
SHA1 9debc99bb7450f59a7b09f16c0393e5c7a955ba4
SHA256 7ff65c0be2004867f536ce9b94783da4b5e4bc06cca5bd899933c8b68a44c705
SHA512 30e5aa130c6b0869dc3fbb79da54d42699be6de0af65c9127ea047548a22d98b68300f18432141207166687576ba86433d4ae9d3458dbcc2aec9f14198c58193

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2e2266221550edce9a27c9060d5c2361
SHA1 f39f2d8f02f8b3a877d5969a81c4cb12679609f3
SHA256 e19af90814641d2c6cd15a7a53d676a4a7f63b4a80a14126824d1e63fdccdcdb
SHA512 e962cc55d1f9537159c34349a2fa5ffffc910de3e52cafa8347c43eded78b8e986ecb8e2e9ada5e2381b034151f17e6b984c279460e8e114e50ea58a64648864

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2b307765b7465ef5e4935f0ed7307c01
SHA1 c46a1947f8b2785114891f7905f663d9ae517f1b
SHA256 a3f77536a922968bc49827a6c8553ed6b74eafd52e6c1fcfd62bfa20a83efc85
SHA512 fce4fbf9900f50368cb35ac40e60b54835912921848a45b196c6f68ad66a07549f27237956c751f511d2589cf91980658d4f1b743dd2c9c9506102da3be4bae2

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e6d8af5aed642209c88269bf56af50ae
SHA1 633d40da997074dc0ed10938ebc49a3aeb3a7fc8
SHA256 550abc09abce5b065d360dfea741ab7dd8abbe2ea11cd46b093632860775baec
SHA512 6949fc255c1abf009ecbe0591fb6dbfd96409ee98ae438dbac8945684ccf694c046d5b51d2bf7679c1e02f42e8f32e8e29a9b7bdbc84442bec0497b64dfa84cf

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1daa413d1a8cd1692f2e4ae22b54c74a
SHA1 2e02e2a23cfaa62f301e29a117e291ff93cc5d31
SHA256 10732e2612780d9694faf0bb9b27cdc6f3376ad327da7dfc346e9e5579493d33
SHA512 b947c70c7c4af971e3fbdc66fb7175b6624ac68c6a723dac7ecb5cf5f43bbe210fa0fa61fd4b6153dccf7de077d003ca03f061e209dc37773546b038e6aef277