Analysis
-
max time kernel
72s -
max time network
75s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-06-2023 01:09
Static task
static1
Behavioral task
behavioral1
Sample
24a4039692a2d0baa28bf7ee0456f82c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
24a4039692a2d0baa28bf7ee0456f82c.exe
Resource
win10v2004-20230220-en
General
-
Target
24a4039692a2d0baa28bf7ee0456f82c.exe
-
Size
1.0MB
-
MD5
24a4039692a2d0baa28bf7ee0456f82c
-
SHA1
8b43fc96bc9bf12ab8fcf4cac1e7c1f20be4a6f2
-
SHA256
f0c3c67d1099fb21019694585646996f465eae28006dc248c0adfeac1e8fe189
-
SHA512
bb8a89aaac6cebaf5a2a9bde42436794eb6bc912da7d9007c73c1783c917ff0b37c217e0d2c66b4043f923c4e10b21a4c39abbe495d45faab5990c058778a023
-
SSDEEP
24576:WBpJi6LbUjebhV8kk/DWgHX5BD6PhyONxWqnCsEyA:S7vYiP6S0D6PhywxbXEl
Malware Config
Signatures
-
Downloads MZ/PE file
-
Sets file execution options in registry 2 TTPs 2 IoCs
Processes:
ZoneAlarmUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZoneAlarmUpdate.exe\DisableExceptionChainValidation = "0" ZoneAlarmUpdate.exe -
Executes dropped EXE 13 IoCs
Processes:
ZoneAlarmUpdate.exeZoneAlarmUpdate.exeZoneAlarmUpdate.exeZoneAlarmUpdateComRegisterShell64.exeZoneAlarmUpdateComRegisterShell64.exeZoneAlarmUpdateComRegisterShell64.exeZoneAlarmUpdate.exeZoneAlarmUpdate.exeZoneAlarmUpdate.exeZANG_Install.exedltel.exedltel.exeZoneAlarmUpdate.exepid process 1748 ZoneAlarmUpdate.exe 1620 ZoneAlarmUpdate.exe 1164 ZoneAlarmUpdate.exe 1976 ZoneAlarmUpdateComRegisterShell64.exe 1912 ZoneAlarmUpdateComRegisterShell64.exe 1648 ZoneAlarmUpdateComRegisterShell64.exe 1492 ZoneAlarmUpdate.exe 1704 ZoneAlarmUpdate.exe 968 ZoneAlarmUpdate.exe 1928 ZANG_Install.exe 1872 dltel.exe 1240 dltel.exe 1548 ZoneAlarmUpdate.exe -
Loads dropped DLL 45 IoCs
Processes:
24a4039692a2d0baa28bf7ee0456f82c.exeZoneAlarmUpdate.exeZoneAlarmUpdate.exeZoneAlarmUpdate.exeZoneAlarmUpdateComRegisterShell64.exeZoneAlarmUpdateComRegisterShell64.exeZoneAlarmUpdateComRegisterShell64.exeZoneAlarmUpdate.exeZoneAlarmUpdate.exeZoneAlarmUpdate.exeZANG_Install.exeZoneAlarmUpdate.exepid process 2012 24a4039692a2d0baa28bf7ee0456f82c.exe 1748 ZoneAlarmUpdate.exe 1748 ZoneAlarmUpdate.exe 1748 ZoneAlarmUpdate.exe 1748 ZoneAlarmUpdate.exe 1620 ZoneAlarmUpdate.exe 1620 ZoneAlarmUpdate.exe 1620 ZoneAlarmUpdate.exe 1748 ZoneAlarmUpdate.exe 1164 ZoneAlarmUpdate.exe 1164 ZoneAlarmUpdate.exe 1164 ZoneAlarmUpdate.exe 1976 ZoneAlarmUpdateComRegisterShell64.exe 1164 ZoneAlarmUpdate.exe 1164 ZoneAlarmUpdate.exe 1912 ZoneAlarmUpdateComRegisterShell64.exe 1164 ZoneAlarmUpdate.exe 1164 ZoneAlarmUpdate.exe 1648 ZoneAlarmUpdateComRegisterShell64.exe 1164 ZoneAlarmUpdate.exe 1748 ZoneAlarmUpdate.exe 1748 ZoneAlarmUpdate.exe 1748 ZoneAlarmUpdate.exe 1748 ZoneAlarmUpdate.exe 1748 ZoneAlarmUpdate.exe 1748 ZoneAlarmUpdate.exe 1492 ZoneAlarmUpdate.exe 1704 ZoneAlarmUpdate.exe 1704 ZoneAlarmUpdate.exe 1704 ZoneAlarmUpdate.exe 968 ZoneAlarmUpdate.exe 968 ZoneAlarmUpdate.exe 968 ZoneAlarmUpdate.exe 968 ZoneAlarmUpdate.exe 1704 ZoneAlarmUpdate.exe 968 ZoneAlarmUpdate.exe 1928 ZANG_Install.exe 1928 ZANG_Install.exe 1928 ZANG_Install.exe 1928 ZANG_Install.exe 1928 ZANG_Install.exe 1928 ZANG_Install.exe 968 ZoneAlarmUpdate.exe 968 ZoneAlarmUpdate.exe 1548 ZoneAlarmUpdate.exe -
Registers COM server for autorun 1 TTPs 20 IoCs
Processes:
ZoneAlarmUpdateComRegisterShell64.exeZoneAlarmUpdateComRegisterShell64.exeZoneAlarmUpdateComRegisterShell64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" ZoneAlarmUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" ZoneAlarmUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" ZoneAlarmUpdateComRegisterShell64.exe -
Drops file in Program Files directory 64 IoCs
Processes:
24a4039692a2d0baa28bf7ee0456f82c.exeZoneAlarmUpdate.exeZoneAlarmUpdate.exedescription ioc process File created C:\Program Files (x86)\GUM964.tmp\psmachine.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_fa.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_id.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ms.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\npZoneAlarmUpdate3.dll ZoneAlarmUpdate.exe File opened for modification C:\Program Files (x86)\CheckPoint\Update\Download\{814E4157-8A6C-461B-A80F-B75931228CA1}\3.3.407.0\ZANG_Install.exe ZoneAlarmUpdate.exe File created C:\Program Files (x86)\GUM964.tmp\ZoneAlarmUpdateWebPlugin.exe 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\ZoneAlarmCrashHandler64.exe 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_ca.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_vi.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_da.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_fr.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\GUM964.tmp\ZoneAlarmUpdateBroker.exe 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_fr.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_fi.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_fil.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_zh-TW.dll ZoneAlarmUpdate.exe File opened for modification C:\Program Files (x86)\GUT965.tmp 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_sr.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_hi.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_vi.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_lv.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_en-GB.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_lv.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_sl.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\psuser.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_ru.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_gu.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_gu.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_zh-CN.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\psmachine.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_sk.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_es.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ur.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_bg.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_hu.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_iw.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\GUM964.tmp\ZoneAlarmUpdateComRegisterShell64.exe 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_sv.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_hr.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_nl.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_nl.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_ro.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_ta.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_lt.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\psuser_64.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_ms.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_pl.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_cs.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_pt-BR.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_sw.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\GUM964.tmp\psuser.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_it.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_sr.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_mr.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_th.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_el.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_hu.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_tr.dll 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_pt-PT.dll ZoneAlarmUpdate.exe File created C:\Program Files (x86)\GUM964.tmp\ZoneAlarmUpdateHelper.msi 24a4039692a2d0baa28bf7ee0456f82c.exe File created C:\Program Files (x86)\GUM964.tmp\goopdateres_es-419.dll 24a4039692a2d0baa28bf7ee0456f82c.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 1636 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
ZoneAlarmUpdate.exeZoneAlarmUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3} ZoneAlarmUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3}\Policy = "3" ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8} ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\AppName = "ZoneAlarmUpdateBroker.exe" ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\AppPath = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0" ZoneAlarmUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\Policy = "3" ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3}\CLSID = "{D5B80838-9D7E-4A94-8115-17A76F676AD3}" ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A} ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\AppName = "ZoneAlarmUpdateWebPlugin.exe" ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\AppPath = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0" ZoneAlarmUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\Policy = "3" ZoneAlarmUpdate.exe -
Modifies registry class 64 IoCs
Processes:
ZoneAlarmUpdate.exeZoneAlarmUpdateComRegisterShell64.exeZoneAlarmUpdate.exeZoneAlarmUpdateComRegisterShell64.exeZoneAlarmUpdateComRegisterShell64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CoreClass.1\ = "Google Update Core Class" ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40AE72F1-9B37-47C1-B09D-513425C48CBE}\InprocHandler32\ThreadingModel = "Both" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92785311-171B-4358-A89D-11AC094F5717}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D088BAD8-E92C-4500-BDBC-5CF5E239F40E}\NumMethods ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.OnDemandCOMClassMachine\CurVer ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07567CD2-4EE7-4040-9226-D4B83474EC0F}\VersionIndependentProgID ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07567CD2-4EE7-4040-9226-D4B83474EC0F}\LocalServer32 ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92785311-171B-4358-A89D-11AC094F5717}\ProxyStubClsid32 ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7A50D4F-9FCE-48D7-B93F-A45944226ECF}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62D4E3B9-85B5-4402-B456-516E9B4AC7A9} ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE1B13CA-C8E2-46D6-B5A0-02FAD7485323}\ = "ICurrentState" ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3WebMachine ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CoCreateAsync\CurVer\ = "CheckPointUpdate.CoCreateAsync.1.0" ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC307423-DEA5-4E91-A312-A738BE74A13F}\LocalServer32 ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CoreClass.1\CLSID\ = "{06ED0FAA-AFA8-47C6-8B74-40789104D386}" ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86BAA25A-9A0A-4F50-BCC4-1496BBDFBF6D}\NumMethods\ = "5" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A86AF1BE-D06B-4569-B99A-814124EA8B20}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" ZoneAlarmUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40AE72F1-9B37-47C1-B09D-513425C48CBE}\InprocHandler32 ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DF65338-FEC8-4270-A02A-B06B1DE3AC09}\ProxyStubClsid32 ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC5AB8D5-6AFA-43B7-BDAE-06FEC4ECBE04}\NumMethods\ = "12" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A93F6E13-DB63-493B-9170-BD91278A1E57}\ = "IZoneAlarmUpdate3Web" ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7A50D4F-9FCE-48D7-B93F-A45944226ECF} ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.OnDemandCOMClassMachineFallback.1.0\ = "Google Update Legacy On Demand" ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC307423-DEA5-4E91-A312-A738BE74A13F} ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CD5C033-8E26-4B96-A6FB-393DCCF30294}\ProxyStubClsid32 ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{39D75D4A-0F18-484D-88B4-25153FE1DD7F}\ProxyStubClsid32 ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A86AF1BE-D06B-4569-B99A-814124EA8B20} ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC5AB8D5-6AFA-43B7-BDAE-06FEC4ECBE04}\ProxyStubClsid32 ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC5AB8D5-6AFA-43B7-BDAE-06FEC4ECBE04}\ = "IAppCommand2" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{499D1391-3A6B-4F0F-844D-1DD9CA45ED03}\ = "IZoneAlarmUpdate3" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3540206-D91F-4B5D-B3EF-7526CB201CF1}\Elevation\IconReference = "@C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\goopdate.dll,-1004" ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40AE72F1-9B37-47C1-B09D-513425C48CBE}\InprocHandler32 ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC5AB8D5-6AFA-43B7-BDAE-06FEC4ECBE04}\NumMethods\ = "12" ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8515F47F-2E88-40E3-BF7C-8F6B35F9582D} ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A86AF1BE-D06B-4569-B99A-814124EA8B20}\ProxyStubClsid32 ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86BAA25A-9A0A-4F50-BCC4-1496BBDFBF6D} ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD29A878-82EC-4F08-97D7-8C7C691892F0}\NumMethods\ = "4" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1557BFC-F8CE-4EA3-9130-9F461F91379C}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3133AA91-F4A8-4C99-85FA-6C8BFE86CE62}\LocalServer32 ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.OnDemandCOMClassMachineFallback\CLSID\ = "{BC307423-DEA5-4E91-A312-A738BE74A13F}" ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD29A878-82EC-4F08-97D7-8C7C691892F0}\ProxyStubClsid32 ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7A50D4F-9FCE-48D7-B93F-A45944226ECF}\NumMethods\ = "4" ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CredentialDialogMachine\CurVer ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A93F6E13-DB63-493B-9170-BD91278A1E57}\NumMethods\ = "8" ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4AB999-B493-446E-B067-BF3E1C1B872F}\ProxyStubClsid32 ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4AB999-B493-446E-B067-BF3E1C1B872F}\NumMethods\ = "4" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D4E3B9-85B5-4402-B456-516E9B4AC7A9}\ = "IAppVersionWeb" ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC5AB8D5-6AFA-43B7-BDAE-06FEC4ECBE04}\ = "IAppCommand2" ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CoreMachineClass.1 ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3COMClassService.1.0\CLSID ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3065C225-61D8-4BD8-8341-BB49BB3A5257}\ProxyStubClsid32 ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8C715AA-73C2-4603-BB9A-7B67492B2D6A}\ProxyStubClsid32 ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1557BFC-F8CE-4EA3-9130-9F461F91379C}\NumMethods ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8C715AA-73C2-4603-BB9A-7B67492B2D6A}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92785311-171B-4358-A89D-11AC094F5717}\ProxyStubClsid32 ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39D75D4A-0F18-484D-88B4-25153FE1DD7F} ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F6129020-E3CC-4B89-B9B6-0945B68F3A8C}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CredentialDialogMachine.1.0\CLSID ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF42CD96-EED4-43DA-AB7B-B91BE0F7FEF4}\NumMethods\ = "4" ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3133AA91-F4A8-4C99-85FA-6C8BFE86CE62}\ProgID ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD29A878-82EC-4F08-97D7-8C7C691892F0}\NumMethods ZoneAlarmUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92785311-171B-4358-A89D-11AC094F5717}\NumMethods\ = "41" ZoneAlarmUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B930D828-1FD1-4255-8336-1CDA396C671D} ZoneAlarmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7CD5C033-8E26-4B96-A6FB-393DCCF30294}\NumMethods\ = "4" ZoneAlarmUpdate.exe -
Processes:
ZoneAlarmUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 ZoneAlarmUpdate.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f ZoneAlarmUpdate.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f ZoneAlarmUpdate.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f ZoneAlarmUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 ZoneAlarmUpdate.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde ZoneAlarmUpdate.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
ZoneAlarmUpdate.exeZoneAlarmUpdate.exepid process 1748 ZoneAlarmUpdate.exe 1748 ZoneAlarmUpdate.exe 1748 ZoneAlarmUpdate.exe 1548 ZoneAlarmUpdate.exe 1548 ZoneAlarmUpdate.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ZoneAlarmUpdate.exeZoneAlarmUpdate.exedescription pid process Token: SeDebugPrivilege 1748 ZoneAlarmUpdate.exe Token: SeDebugPrivilege 1748 ZoneAlarmUpdate.exe Token: SeDebugPrivilege 1748 ZoneAlarmUpdate.exe Token: SeDebugPrivilege 1548 ZoneAlarmUpdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
24a4039692a2d0baa28bf7ee0456f82c.exeZoneAlarmUpdate.exeZoneAlarmUpdate.exeZoneAlarmUpdate.exeZANG_Install.exedescription pid process target process PID 2012 wrote to memory of 1748 2012 24a4039692a2d0baa28bf7ee0456f82c.exe ZoneAlarmUpdate.exe PID 2012 wrote to memory of 1748 2012 24a4039692a2d0baa28bf7ee0456f82c.exe ZoneAlarmUpdate.exe PID 2012 wrote to memory of 1748 2012 24a4039692a2d0baa28bf7ee0456f82c.exe ZoneAlarmUpdate.exe PID 2012 wrote to memory of 1748 2012 24a4039692a2d0baa28bf7ee0456f82c.exe ZoneAlarmUpdate.exe PID 2012 wrote to memory of 1748 2012 24a4039692a2d0baa28bf7ee0456f82c.exe ZoneAlarmUpdate.exe PID 2012 wrote to memory of 1748 2012 24a4039692a2d0baa28bf7ee0456f82c.exe ZoneAlarmUpdate.exe PID 2012 wrote to memory of 1748 2012 24a4039692a2d0baa28bf7ee0456f82c.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1620 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1620 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1620 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1620 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1620 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1620 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1620 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1164 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1164 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1164 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1164 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1164 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1164 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1164 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1164 wrote to memory of 1976 1164 ZoneAlarmUpdate.exe ZoneAlarmUpdateComRegisterShell64.exe PID 1164 wrote to memory of 1976 1164 ZoneAlarmUpdate.exe ZoneAlarmUpdateComRegisterShell64.exe PID 1164 wrote to memory of 1976 1164 ZoneAlarmUpdate.exe ZoneAlarmUpdateComRegisterShell64.exe PID 1164 wrote to memory of 1976 1164 ZoneAlarmUpdate.exe ZoneAlarmUpdateComRegisterShell64.exe PID 1164 wrote to memory of 1912 1164 ZoneAlarmUpdate.exe ZoneAlarmUpdateComRegisterShell64.exe PID 1164 wrote to memory of 1912 1164 ZoneAlarmUpdate.exe ZoneAlarmUpdateComRegisterShell64.exe PID 1164 wrote to memory of 1912 1164 ZoneAlarmUpdate.exe ZoneAlarmUpdateComRegisterShell64.exe PID 1164 wrote to memory of 1912 1164 ZoneAlarmUpdate.exe ZoneAlarmUpdateComRegisterShell64.exe PID 1164 wrote to memory of 1648 1164 ZoneAlarmUpdate.exe ZoneAlarmUpdateComRegisterShell64.exe PID 1164 wrote to memory of 1648 1164 ZoneAlarmUpdate.exe ZoneAlarmUpdateComRegisterShell64.exe PID 1164 wrote to memory of 1648 1164 ZoneAlarmUpdate.exe ZoneAlarmUpdateComRegisterShell64.exe PID 1164 wrote to memory of 1648 1164 ZoneAlarmUpdate.exe ZoneAlarmUpdateComRegisterShell64.exe PID 1748 wrote to memory of 1492 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1492 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1492 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1492 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1492 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1492 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1492 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1704 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1704 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1704 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1704 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1704 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1704 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 1748 wrote to memory of 1704 1748 ZoneAlarmUpdate.exe ZoneAlarmUpdate.exe PID 968 wrote to memory of 1928 968 ZoneAlarmUpdate.exe ZANG_Install.exe PID 968 wrote to memory of 1928 968 ZoneAlarmUpdate.exe ZANG_Install.exe PID 968 wrote to memory of 1928 968 ZoneAlarmUpdate.exe ZANG_Install.exe PID 968 wrote to memory of 1928 968 ZoneAlarmUpdate.exe ZANG_Install.exe PID 968 wrote to memory of 1928 968 ZoneAlarmUpdate.exe ZANG_Install.exe PID 968 wrote to memory of 1928 968 ZoneAlarmUpdate.exe ZANG_Install.exe PID 968 wrote to memory of 1928 968 ZoneAlarmUpdate.exe ZANG_Install.exe PID 1928 wrote to memory of 1872 1928 ZANG_Install.exe dltel.exe PID 1928 wrote to memory of 1872 1928 ZANG_Install.exe dltel.exe PID 1928 wrote to memory of 1872 1928 ZANG_Install.exe dltel.exe PID 1928 wrote to memory of 1872 1928 ZANG_Install.exe dltel.exe PID 1928 wrote to memory of 1636 1928 ZANG_Install.exe sc.exe PID 1928 wrote to memory of 1636 1928 ZANG_Install.exe sc.exe PID 1928 wrote to memory of 1636 1928 ZANG_Install.exe sc.exe PID 1928 wrote to memory of 1636 1928 ZANG_Install.exe sc.exe PID 1928 wrote to memory of 1240 1928 ZANG_Install.exe dltel.exe PID 1928 wrote to memory of 1240 1928 ZANG_Install.exe dltel.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24a4039692a2d0baa28bf7ee0456f82c.exe"C:\Users\Admin\AppData\Local\Temp\24a4039692a2d0baa28bf7ee0456f82c.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GUM964.tmp\ZoneAlarmUpdate.exe"C:\Program Files (x86)\GUM964.tmp\ZoneAlarmUpdate.exe" /installsource taggedmi /install "bundlename=Product&appguid={814E4157-8A6C-461B-A80F-B75931228CA1}&appname=ZoneAlarmNG&needsadmin=True&lang=en&ap=ZANG_EA200&usagestats=1"2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /regsvc3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /regserver3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuOTkuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjk5LjAiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTA5NkJFOEYtNUEyNS00NDBGLTk1MDQtQkRGQTAxOTE3QjIyfSIgdXNlcmlkPSJ7RkVBOTI2RjMtMTE3Ni00OTFDLThCNjEtM0RERDVFODUwRDkyfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0iezM2MDI2NDM3LTc4OEMtNDFGQS1CRDAwLUQ3NUM0MjI4MzIxOX0iIGRlZHVwPSJjciI-PGh3IHBoeXNtZW1vcnk9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy45OS4wIiBsYW5nPSJlbiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMjY5OSIvPjwvYXBwPjwvcmVxdWVzdD43⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /handoff "bundlename=Product&appguid={814E4157-8A6C-461B-A80F-B75931228CA1}&appname=ZoneAlarmNG&needsadmin=True&lang=en&ap=ZANG_EA200&usagestats=1" /installsource taggedmi /sessionid "{5096BE8F-5A25-440F-9504-BDFA01917B22}"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\CheckPoint\Update\Install\{3D537793-6FF8-47C4-AB31-B144A93B87D0}\ZANG_Install.exe"C:\Program Files (x86)\CheckPoint\Update\Install\{3D537793-6FF8-47C4-AB31-B144A93B87D0}\ZANG_Install.exe" /SKU=AM,AR,FW,WebSecure /Product=ZA_EXTREME2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nseF691.tmp\dltel.exe"C:\Users\Admin\AppData\Local\Temp\nseF691.tmp\dltel.exe" client_version=3.3.407.0 unique_client=NoClientID type=211127 meta_data2="{OS_INFO}" int_field2=-1 int_field3=0 int_field5=0 int_field6=262 int_field8=-1 int_field9=0 str_field1=StopCPOSFW str_field3=3.3.407.0 str_field4="NoSKU" str_field5=NoClientVersion str_field6="NoInstallDate" str_field7="n/a" str_field8="NoLanguage" str_field9="NoUMID" str_field10=NoClientID3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" query cposfw3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\nseF691.tmp\dltel.exe"C:\Users\Admin\AppData\Local\Temp\nseF691.tmp\dltel.exe" client_version=3.3.407.0 unique_client=NoClientID type=211127 meta_data2="{OS_INFO}" int_field2=-1 int_field3=0 int_field5=-3 int_field6=519 int_field8=-1 int_field9=0 str_field1=InstallGateWin7SHA2Required str_field3=3.3.407.0 str_field4="NoSKU" str_field5=NoClientVersion str_field6="NoInstallDate" str_field7="n/a" str_field8="NoLanguage" str_field9="NoUMID" str_field10=NoClientID3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuOTkuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjk5LjAiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTA5NkJFOEYtNUEyNS00NDBGLTk1MDQtQkRGQTAxOTE3QjIyfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0ie0E2Njg2QjRBLUQyMEYtNDQxRi1BNERELUQxQTAwNjg4QkI4Rn0iIGRlZHVwPSJjciI-PGh3IHBoeXNtZW1vcnk9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezgxNEU0MTU3LThBNkMtNDYxQi1BODBGLUI3NTkzMTIyOENBMX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjMuMy40MDcuMCIgYXA9IlpBTkdfRUEyMDAiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAxMjczOSIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwczovL2Rvd25sb2FkLnpvbmVhbGFybS5jb20vYmluL2ZyZWUvZG93bmxvYWRzL1pBTkcvWkFOR19FQTIwMC8zXzNfNDA3L1pBTkdfSW5zdGFsbC5leGUiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSItMSIgZG93bmxvYWRfdGltZV9tcz0iNTkyOCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cHM6Ly9kb3dubG9hZC56b25lYWxhcm0uY29tL2Jpbi9mcmVlL2Rvd25sb2Fkcy9aQU5HL1pBTkdfRUEyMDAvM18zXzQwNy9aQU5HX0luc3RhbGwuZXhlIiBkb3dubG9hZGVkPSIyNjYxODY4MjQiIHRvdGFsPSIyNjYxODY4MjQiIGRvd25sb2FkX3RpbWVfbXM9IjMyNDQ4Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iNiIgZXJyb3Jjb2RlPSItMyIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjcxOTIiIGRvd25sb2FkX3RpbWVfbXM9IjQxMTA2IiBkb3dubG9hZGVkPSIyNjYxODY4MjQiIHRvdGFsPSIyNjYxODY4MjQiIGluc3RhbGxfdGltZV9tcz0iNzA4MiIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdate.exeFilesize
162KB
MD5e48a5f1635cad3870bcd52980d7d9ff0
SHA1070421cce834bea5ef13cd309c6cf22619c1b2b6
SHA256980b2466f65aad81ee76cfd5e3d2c434752fe5d2118b35919f112948486cafd3
SHA5121683376addb7229c5aff29983f180776b6e9d892fd55aeda7457dc8cb981144a2c9a7a9b27883a0a05a8c7a32b894996f3076f0aa57b7b798d4c787ada7fd99e
-
C:\Program Files (x86)\CheckPoint\Update\Download\{814E4157-8A6C-461B-A80F-B75931228CA1}\3.3.407.0\ZANG_Install.exeFilesize
253.9MB
MD585ba23187f962ff38b346ef60e1b0a59
SHA1a6e9f5b3b922110547460df18e438560ca46ce2b
SHA25680ad83b2d1cbc70045502884a8acdf7edccf4e22ac97b0e0980c00db2101d073
SHA5129b2d4dc011ef09949c338b868803e1dc4e7e7b53930abfbec734ac9c907159ada267731e9af74a91912896bc2f74dd90fe9ad54330fe05e345c09c32d245e62e
-
C:\Program Files (x86)\GUM964.tmp\ZoneAlarmCrashHandler.exeFilesize
279KB
MD5041237abbe8c282b1cd4c30891890959
SHA1ffbf1504f14b030956f57b9a5b1d8edd6d19e338
SHA256e8faf199a12eccb4e9feecd96252d5a09e87d90a18c37d3ed3ac7888783a9978
SHA51261425b427a77c2ae2e566c5602908fd48d88d6079e3ee82c0890aa7d5c745ab984c6a79e1160ac34751f06233f056ec36d756d7876e64ee1272e60cd1cb77296
-
C:\Program Files (x86)\GUM964.tmp\ZoneAlarmCrashHandler64.exeFilesize
355KB
MD557c02d41bdf6a8f8d5a62b5f6ce6c8e8
SHA14f45aabae9c2b6692285402bce1860e6f32de332
SHA2563f5960fe7b0a67543475747d76dd91d0c583428c28a8fb712aecf06a69b2888c
SHA5128a2c57d89160496b556e6076855f5cea79bbba9c7514560f830c35eb735327facf79f68675b7e58576c5ac2db1be1a334a1c692874fa9f29d27c66a7c2d90c4c
-
C:\Program Files (x86)\GUM964.tmp\ZoneAlarmUpdate.exeFilesize
162KB
MD5e48a5f1635cad3870bcd52980d7d9ff0
SHA1070421cce834bea5ef13cd309c6cf22619c1b2b6
SHA256980b2466f65aad81ee76cfd5e3d2c434752fe5d2118b35919f112948486cafd3
SHA5121683376addb7229c5aff29983f180776b6e9d892fd55aeda7457dc8cb981144a2c9a7a9b27883a0a05a8c7a32b894996f3076f0aa57b7b798d4c787ada7fd99e
-
C:\Program Files (x86)\GUM964.tmp\ZoneAlarmUpdate.exeFilesize
162KB
MD5e48a5f1635cad3870bcd52980d7d9ff0
SHA1070421cce834bea5ef13cd309c6cf22619c1b2b6
SHA256980b2466f65aad81ee76cfd5e3d2c434752fe5d2118b35919f112948486cafd3
SHA5121683376addb7229c5aff29983f180776b6e9d892fd55aeda7457dc8cb981144a2c9a7a9b27883a0a05a8c7a32b894996f3076f0aa57b7b798d4c787ada7fd99e
-
C:\Program Files (x86)\GUM964.tmp\ZoneAlarmUpdateComRegisterShell64.exeFilesize
167KB
MD55199e0eb77f80e2387fc6bc0f2b3d551
SHA1b2b4d8556a74fcd4f5c64ea4d62ce837ba342844
SHA256eeae53ef1fffa0ecf7986de8943a8c0b52f56bdeaf679650f84deace7c33a483
SHA51266927a1bc50337cd079d8c1665472f2717518a2cc876ac70cec7fbfd90b36a8797f9149b5a08a4f8ea11222a3cf1b3f126f26a01904f14854fbc744df0c14916
-
C:\Program Files (x86)\GUM964.tmp\ZoneAlarmUpdateCore.exeFilesize
585KB
MD5ff66c67af8b2f663be474f978bfdb1a0
SHA1a9d206e2872907aaaad0bfbce83a3900910ae850
SHA2564a1cad04ed0628fb6171675652af4861081ff22e99e8531255e9efdb2975ad3b
SHA5129aa647fff03796239d6366d38793b0bf11b09e9f892e0b7e7a005cf108686181275f5e42e9887a596fa1f6cd6b17c836f8012e7988086042175b91fe796ddcc8
-
C:\Program Files (x86)\GUM964.tmp\goopdate.dllFilesize
1.7MB
MD5474db0ab6ca68165f911470457ebeaa8
SHA18ee5a40fc209bc9e042d80b2e39fb71b3f5cd8f6
SHA256e9c1679f31a088b3d6519caeb3d54d3bd92f3a0365357b31b0c0ae96914e8fdd
SHA512b3d489b7a4b3a3493837024f0972774d2f90021b3036df2056b110a180e21d535b08b080cb3499f4d17f5d0e79bde694e74a65384a0cc3724a53172020597371
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_am.dllFilesize
38KB
MD53e7ba40521b22d5b996fd9fa7372f779
SHA1844e4e9051ae0949a2ad22aae610fb170eb5bfc5
SHA256978b88afaf052c4fab7eb12e366ca29df83c386c8a42315b2acaeb95ec722325
SHA512cfd1fe3decd71e60e151816af68de5a5b302afe9ce517af81b10983fa27936835256dd1668d14f15031596dd509dacaec87d1d85240d0eb664179697341ae24d
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_ar.dllFilesize
38KB
MD5895897bdbe0939c0d4f51bc68db96dfd
SHA1b82174af4d3e1e6a669bd18676fd72c6e5bf6256
SHA256e3455bec8453b490bacb5e35934aa536cc47a4512a1633ab7c2cc363fa309a71
SHA512cc90c241abf98ec82a7c51694d53d6cc8d5f178babf7afbf141a77d001ba5d5bb0de820dceb97856522b851d3abd804ba8dbf1623023df4eb984742f0ebe48ff
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_bg.dllFilesize
40KB
MD5ad1bfa8ce2d5d4501a25d23b64c22798
SHA1d882c9a6cfff091318cc382df7892d7048ddf37e
SHA2564135fd194cbc52a4e7bf7300911bc00311a2ebac04958a84f6caeaa9a104a58b
SHA512efd74f6452cebe16f6f9e9f0100f88e1a3262e8d5af6023d35c8317a57f91a53af4269093ea467b048643826f8356e10990a7342ead8039bbbd064a7546daa3e
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_bn.dllFilesize
41KB
MD5c079d6085b6dcf4276f66588468e2823
SHA1bc3aef31e817e4a0d08e8b4a1d4fa7f26fdf9a31
SHA2567b654e29076fa77b2b2e8c477b3fe844043fcaf8ab34f21329af7033b22dd40c
SHA5125a34f9f85749306b9d75ea1c6893d5ccc3dd52eaabfbf934e48a7a80caefc4aa2d3eb0c9d14c6c9b59cc43cbf80562c4fb278441312c71eab6aa285cbbe9324a
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_ca.dllFilesize
40KB
MD5f305384449356a56f9141b91805dcc38
SHA190a80224d248163e9e796f96feea75d476147d41
SHA2562443d8b998bff1c795f8c51c96ee61c7a6aebbe2821e316c88aee726fbed9213
SHA5127e85bffa0682df848f2364e94f4a0063254bcc21fb0583308a794dc70bd6f02967b5520c9b852c4850a2c5e77b3bb10dee813814826c2223a0e2614644f30fe5
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_cs.dllFilesize
47KB
MD55fe00b272434117a7963fbce1b96967d
SHA1db2ee86e79de84a50714b4dd7f7e20cf210d0844
SHA25687f711ac3a115cff8a3b425d5ee2bf8af5eff4b0bb0e8dfba123f68ef1e18b96
SHA5122763451d954e998e691db2355d970a8b714684a6ba6a4d2e9b09360ca25e0eac5b03723374144e26a62b5d5833d41fe6d61b98cbdc9c428c224b4237aeecc3c1
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_da.dllFilesize
40KB
MD511cef50f49cf5066cf1c8e8cc3d0bb94
SHA1b144cdc065c667daa61cc5d9d84b66820735545a
SHA256ae7f8be5777b3c9c8f99270c86c30a02e784201de4f0ed61f8fcb65eee61ff78
SHA51279e4c103933dbbb0c18d15c896d6c7faa52cc2366ba3e67261835799b0ea0a75263d6d2646d1f7fe74abdd2fcc8d0c1fbeaadf3b49e892905c3e7c41a91dea7c
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_de.dllFilesize
41KB
MD5e34e6ac03ca62f50657d3a32009d85fd
SHA1a8481884ec468f7c4c2af9baa73fe8b4bcd81fd6
SHA2565e129531c9821db475f88b92efec2a3aa1e083d27cfaf2b53ecc3fd4eb611474
SHA51269a7d635f45c30ac85a0aad1647c7febe6713c22a866b420ccbb8254b5924dc3334995ccae92f18438d9643840556c460c1afd3304eae6bb2928d94bd936a88e
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_el.dllFilesize
41KB
MD597d03b2efae17fd100ad34b1466cfac6
SHA1d64b8981fcd0e8e25dc430353694f19a0d1efebc
SHA25659b15ea3b15f67cb599c0e1ba09cae3b6efc30ace7711f3b52212e2000bb9c2b
SHA512b3b8a2bcbf65674b35de4b080cde871ee720cd808d1ff7763de6d22b771968c0870109e0f37d990428a5f6199a5e44f00a847fb2989d8a10381dee9926b6a525
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_en-GB.dllFilesize
46KB
MD52085ba390dc6582b8232853bd415ab45
SHA173d6f4a8df3d839f548f2f143188ea2492c5afc8
SHA2565bf10b7d2f24f2c620fa7423cc4542623bad06843ea80dee6ebeed5390e71af5
SHA512ca27053f08c4b00bfb476369b2d729a3db8fea3b82a0f2125d9bf0e4e53644eaecfa00bf756d250be239b738b97d96bf6821abe5ac3beb41c0c03d382d0a24be
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_en.dllFilesize
46KB
MD51b94643c5700015c1a5c0ab1f41c84bb
SHA1ab55c7689c3350a0ddbf582ab6d5c179f02c94f8
SHA25610ee192914ffd099b2bd4fe72d9e10e49e664a401df809e3274bb7d117522a86
SHA512a9cdf2bc82d67736fd61ce03e268b959fdf3791442f521a927a51cfe8b6f7251fdf64154069bcf9cf451e5a1a9e8fcf7035cc00175c952fd958bc807647b7a56
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_es-419.dllFilesize
40KB
MD56ef6a8f2793691def47af52f791cb8ad
SHA1f7aab73965ef1a0f504673c8b7e949f388fa6302
SHA2569d1c480bf299c87135ae8ae288feeded0cb40f2fe092a7956eaaac8a4e72a4f3
SHA5127d12ee92ca6284a1a6d47b285426f51074fd1dd42a53809474cce49ffe37b23baa7af3b8417f67b83c76de0fe80eb4017273463b732e41b6e3817072a07a8cf1
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_es.dllFilesize
41KB
MD539ea8f437df6a9829b0e24e1bd707c6a
SHA19a6696edd2cc8609a0d5dc4446152c15631e2fa4
SHA25676207f82d37fb0d450e5b7c8c6e17dac969ab23f857018427978947cdf2b53f1
SHA512a0663782af9a085233e6edb2732f15774c42c22368fb3f7be1b897d0080363309c704a89b5854d8c317cc21a020daab80f99ecb2ea7102059edbef866c16cb9d
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_et.dllFilesize
39KB
MD56e7fcde39499a6958a4fc775366f95e7
SHA19f07f5f1e969d24946647f9944d680df400aa600
SHA256881fd00fb1700d8d4dcf2b5d37a37206d4c2b98d163522e4c5c5ca94cce33ca9
SHA512658c88b9f68b2fc3f357069aa46657286a0e4853841afa7af69c460643799893614f82c5378a825f19b15465cd6d70d2bccc80825ec0199f3c851e23200faed0
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_fa.dllFilesize
38KB
MD57d8ea5e2c517a4c27eb02b84632cde9c
SHA112a985f03daffcae8ee82a500f2e7b459c523f6f
SHA25681364287ee5b31c81a70d5a2cad1c6b0ff54e6b91d724ced9c20c52e15518414
SHA512d312796b7949534643e68883bffb9951b90468b636e204190415602726493dcf0ad2476f97408c57823cfe5c788b8011fba3b79fe58d69358c408ff34d52cd42
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_fi.dllFilesize
39KB
MD5ffc1551b69ab1cd3417ff80a8723329b
SHA1cfff92cfd0a4f946c928282472408958da7e96b4
SHA256d7539319114ab7cbb5c4c611d8783b0510a78aec390d3c7e78533926102b2ddc
SHA5129b478e16ca1a724f56d4bc54752f40a7f39500ecac05f8ef1b0ed09e751b84a3594ab7ba8c2315e8b6a938a3248f95b57a79e58fe0e740609985441ce90614a6
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_fil.dllFilesize
40KB
MD5bea79932ad302206707cd7189e4b98f3
SHA14e9a97e5708c99e19278d1f6c5bdb4279333fa91
SHA2565ff5caba17d1c3fb5d8a3b76055175d2b5c8a86657ce9f49e75f1ed4921b6539
SHA5127b3d5ca948e63ae14cf450d5697c8180b9eaf3c07d11394d3bf0f8e2faa41ae6aba007e9fcae900c0ded7c90cfe987955f219b4c8ed2dbd5c7e36cc80c1617b8
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_fr.dllFilesize
41KB
MD511290882ccbc24ced26a375e68204e58
SHA1ca8a9b5c025d20d03fe7839e6559b8077e42f040
SHA25669fd15f7743682e028b4ace949c5ff6dc7eba014f9af03bc9fa05a84fcd1d70a
SHA5120d92326ed252ea040ebc76cfe7a85806efc09ae1b3fedce5c09c47d61d2a63a22c4bedcd12c0db7e575d12edd76aa393502cd108529eb701c1f2af2ae911741a
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_gu.dllFilesize
41KB
MD543942ef9e24eef7239e8e9b7b17427b1
SHA149df0f0dbe61cf107f5b8df08f163181afdeda50
SHA2561627f531c95a9780507953898b5d71910dad80bb0f17144e4ee8e1b6f6c85fd6
SHA51263901da157470e430bf460faa9d30e70a81b702749e8f4dbc5cea30ff0e70c2628d69b0fad452f77df8e2e6651d6c4662a2d69fa5f79a47dc159e24b9242b70c
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_hi.dllFilesize
39KB
MD54490ab465b39d3524a61fe78a6407c98
SHA159d76925f8c76f1d6ae5ced82e3e4a0f26b67c7e
SHA2562605a5f05ee2d2eb6a9a94f2ef695334cb2edbf7e721dc631161b9163288a73d
SHA51210abfb16e06f47e139b1e1a1774763d3bb9f631b93a5ae375323d5348d9bd1f0daa28123c9dce5268e7cf74b9c75346b77cd4fcee8501629bdba4c35bd9f2c69
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_hr.dllFilesize
40KB
MD50491a056e8819e253ef0e0b89fa16b96
SHA1101fc020e339737f72a967f3b288868cf0056cff
SHA256c71a7e66b6abfb2e092ae822f02128f65fd54b588656c82e218d3d21e667ca93
SHA512298ad3e9b4e328052d53f2ac73b7511c7f049982405acd20a99883be5d5fb8ee3c85e0865c5fb62eef4920c42f8745db916c32d77a34751af6d81fcbf9ae0f24
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_hu.dllFilesize
40KB
MD5c37106b97be65db4f0bff889e2e0610d
SHA16444e0f41f674eecd4f9f75b4c240f2f3becfef9
SHA2568f85ad5acf375aae3d3c2bf1ff126b3df5c394dd29bc7a8745c8aa8a663d816e
SHA512d2df04ef9cbaccd98c23b72fb6283ca7c0956c94d615a803ff2d98adab7883125fc16e534af88b9b116f0ebc63c8ec2106723e6011da7354dbaf3fd23cab90a3
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_id.dllFilesize
39KB
MD57013cc13f670fbcbaf85a1afcb54f1db
SHA1b95812583e8119d112d279e6978ad4757f6478f6
SHA2564a753baaee7815039f0f221cf874550581b0648438a843a3a1b24aebdcac934a
SHA512389bf8d2b5d31d2e1ba96e615e1cefb568ee502610c2c9d855276173aeaacb366c642d3c676cb58015cd96118a04fb74f1a995e01de79f25daf8b2ac52197b0e
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_is.dllFilesize
39KB
MD58e7c4562d57bb8ed4bb7a18e4d60aee4
SHA1d1305bb62c6e4801e0fcad84f840e47caee49cef
SHA2566e0f1eb6978adb15ffc55dbc4594745814ace046534a344e83c0d926ba39fd48
SHA512251bc524c31a71c4d893499b868eab1a14daa32107d4de1d8f68512486c0990b9f850db16bd4c0b1895942acade381f9e8b485b551286988eadfd7cbfd65dc6b
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_it.dllFilesize
41KB
MD5809bc4efea05d16ac6b31e8e0e822848
SHA120793d89c9e6173ec5f2414129a22c6050790a75
SHA256c09b0b2998700c83872c4ae41042c5360830351066fa0d97e702757695d1dedb
SHA5123e24705f4da8b6c15a840caa2565c2d3480a2fee8d7b1ecd0dc2ee34198231784df69c3f924ca0f1783079890a3810f3fa64860101c9ff23115a212e5caf5165
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_iw.dllFilesize
37KB
MD5bcb0f5bf20549250c666f6c210eb9080
SHA18dc41a04d15be5d292f9434cba2a75877593a28b
SHA256e22130efcc8038a8b20aec27758092ea5804ddc4a42c94baca009776fcd55035
SHA5121d3b9bff07f8d86612e186f124bf06555d39bb8967f83a353b1341c81aca1bf19cdaa0c45b325f183921194b81a248434fc883f1e512715fd70421dcc458f1f8
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_ja.dllFilesize
36KB
MD5ad0092f00535fd4b63cfdf772dbb0365
SHA13260293204dbe52b9a2d89c2e3e9e4f4edfc97bc
SHA256e66fc74c419d74ef47cad41fff49197a37bfd2ac77fa948424ce4defd5028378
SHA5127eb20906a4ec914d53e36259c011de9a9bffffc9b3f9bea5e11a54697233b01c169e7d06a310254e6dccfc7ae34ee1d54514041815c9a01f9b47c1305d34f8f6
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_kn.dllFilesize
41KB
MD54e6c68b6d7e7446969dac4f97ba29d9b
SHA13e7ffb54a2d3bee343b38f13b7a018b6a0486bee
SHA2562d32598548c5fa89dda25d350183d429e40cff63fcb5e3400826d87af19dd219
SHA512e3b65878bd5ba48923d280b57c297ebba16fdce72934ea7f415ab52b0c5731e9d71a659047120eebd9e8f3f0d4c6af13edfc30af964408f7c28a5e9af363dba8
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_ko.dllFilesize
35KB
MD5534c25868aa75ac0708fd1d861169166
SHA18f888b113d24d2adadb893ffaddc09ab7b9bc517
SHA256784662c6d4eace25f9be687618ddc21e71498a8bb37c85d5da7c28ae0fb1ae42
SHA5124ecbf0c15d9714d5c6b39e03ca13709c2ae2fb2d69541c1cb64027eea9715e5a4f2be88159e31640c45ff9afbf7f93d137c7a7a2e7c21a2a6d8ee84f33793c03
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_lt.dllFilesize
39KB
MD5fcd4362eed0f293fc79ef14072f61a6e
SHA1bf20bfda1816c9ccc610c4684e186f76fa09df5e
SHA2560c5b13a17d780dbb1cb0316f2f88d824ef8b93cffe587ffde8eb219a24d03010
SHA5124db133b5fed24799d1e3782b57971ec332bd868681356529bb2080876d99e9338995287a179ade76348f73141f0ffb7ebdd1accf276e8c75aafbe1034e01ac7f
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_lv.dllFilesize
40KB
MD5aba3a491bb97ce4ff56306793b4e9dc9
SHA123fa01810ca7c4a01e2fb03e0a24877e54e662f9
SHA256c2ab48114bcde313262ad18e848a5d42e2781f862fec4e02bb50fb32fac21095
SHA51229b18e3b7223c87ccea599c7b491fadc67cd2f8bf1c407475baf3cabfc176056438a92aa7fb892ba561ccd19d305e072cd1837496247a3d1a276caff20cb4612
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_ml.dllFilesize
42KB
MD5449dc4eb28a9bcdbc2a10e6dc98aef90
SHA106e5b9bd1dc2fd4eaba313bd28ea4b7b2c6affbb
SHA256b2cbd8c3db77c63c285a64be30808ff17fb74dd1e5ce3edd4fb4af697d9b1356
SHA51250df77f526baec4e6611637a9e35540e5d275711c69a62dcb4c58e56bbd9c61935faf367ca4c7c787049194daeca86c6d3a019346a1a724663a23da76878ead5
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_mr.dllFilesize
41KB
MD50d74faee97b70f64bf6cdae92e46c282
SHA1c21bea52c9f61dac999720af7572d004bf3db2fa
SHA256a5c5094552cd2120c9b50652fd5887081cc6bdae9955a64c4777281dc813f331
SHA51221057a2c354f5b1ea02e3b7a0f7f17c03da0c85590e851010509634335ccf259bfe1ef30a8940c265abc22c8c9b0e44d90f942a22879840b0dc062efd2be3c54
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_ms.dllFilesize
39KB
MD557c2d467da78e94163930f6714b62220
SHA14214935114aac67121ceec1f5c8b219708f249e9
SHA2566d08e6ea51f4441fc562b81c4f78aa29e53403f3aea8b02e71d0e0ba9cda2029
SHA512501998aa8749a6c4e7f182f33f7b20e1d2f5eb75033dda3cd55bab7420de2c531ddc4fab284559b4656d10f56e0e3afadc725df96f536f067bcf2f5887c2fb84
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_nl.dllFilesize
40KB
MD557bb36bd2b3c666b6c9bda08b6270506
SHA1ab702e5661c321c17b2e0fe5d546871d094d2c8f
SHA25666601ed0b8883ea6fc5fa6efd79b4355c32d42c7162829b08aa1c4d0ced64474
SHA5129dbb11c18af9980c044d59fc8167bdbba88099c9b75bf46e6441c503a4b734cf19be1415051e448505dc3511b3662a7ec2d3932f033f5a098203eff831a59c83
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_no.dllFilesize
39KB
MD5663791529c5efaa6f2b3aa3379613ed2
SHA1605d0a92ebd45bcf997f44957332ca3b08e0a09f
SHA2566665a7ca80fb2fbf5557f2f3b0b752e4110a412a4f2a2fffdfa8f97bbe140b41
SHA51218dfa19d2d66646be82c928d7a77fb4df806ad5875c7257b804f149fad828d81f9629c59b3905bbbe40f7a3b4d70f09249268b9896b6040bf027cc1bcad52759
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_pl.dllFilesize
40KB
MD5613962f8deefc367a25338365d466215
SHA1a30fb61af3797ad286e352b0c327f6dca6e601f0
SHA25645a58376b0a2bd6ed7d46bbe1a5de2b443a29eee139ee1c37754f269f9013b53
SHA512740024c38330ab906ee34ec888f33e6a3a4542f521193a2242e285fbf2e435e5893c8819c5b8b8b0ca7f2612cdb7f15499401dea76fc4d6034121677f938f99d
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_pt-BR.dllFilesize
40KB
MD57608bf0e929799c281a5082b56fd69cd
SHA16dda7d7ae63a6b4a4ee1ec99bcf1d924736957ec
SHA256f2c764c556ebdfbaa246e37a23f873525ca0ff1f5d2fb42aa541c5baa325c2ca
SHA512f270a69fab581d9c8265206e999bfd8d4eac0ee4a0db7e64190cd02ff627236030ea1d1d9c95712a3552792259783593d231f0d852dddda079f87d5aadf179dc
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_pt-PT.dllFilesize
40KB
MD5048053db8af54bf3412b741ac14caff4
SHA16c86671553b46d70650087e923eb653dacdf0352
SHA256df98834c4494ba37f78b6f2388b17ce8f726c89deb0a55c0a3d26e8ccd52de1d
SHA5124b3c01ef98edd117516b6374afc182a358066676afcb2d29f418562867799822bca305fb6920ca0daaf5a69c46f12701074e76b9643af882959db5815254ae1d
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_ro.dllFilesize
40KB
MD505762cf574d5f7e7780365b255d635e0
SHA13bd3a7289607581e2e2d060f8abe4b6e864f6007
SHA2568edae227038336385adc7009be271839ced13693ed4e519cc13a5836b6be74f3
SHA51272dd30cd39e0d9bc432214e368e58af7de1006d0913c6bf78dbfdb1b442b86d53af68afe2d934a5e770e7818edfbf6c9972361b88687998786cc69dcf58c7768
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_ru.dllFilesize
39KB
MD536135ed19ac4fa31a1de825c366b572b
SHA15849281550c128e909a1415eb5455339551703e4
SHA256b42ed63865d88e4972e83708352dde90c3f4e3ecf317b37a0df7173ab8fa5220
SHA512392f891c50e95a8cc888f34f40faca82c16ab6de4f94d4167e6e398084390a5b2a6826a08903cab6fd9f77abdda55cc2e4b1c5766a109d566ead263f4d76153b
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_sk.dllFilesize
39KB
MD51fcb769e36c2923c218ad11e56672545
SHA1ae0028d4ea7ed5771103300ccfeb50d61fcbb682
SHA2563608e6576b2b204aa2bd0d82cf8793adfe97ef5415eaa8f84d4066deb8af274c
SHA5123e511ca4d573de3f8a3a535b9772735f7a720f4f04e477c29d280e73e37a826bc4411544478eac4963288e69be4daa9de497d696bd15741b83e118be16d052ff
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_sl.dllFilesize
40KB
MD55938dd2722e6fd07cf7aaf5b31083a5c
SHA1b6f66ac2046532392f86a22a913277dd0c405fa9
SHA25680c48f045d55759ac1eeb9b5ffb2143dc16b3604fb0a70015bf1f169c40f6635
SHA512878a503baa2d187cdd860b8b6c2e6b5a21357b0eaa4d54038f5c976061c1151a577094c9a7450b66f8a88bcc4a20718bfaa46f987a4546d1220b5ea041dce77c
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_sr.dllFilesize
40KB
MD5685a4ab23f7922381c0f6bc345f065c7
SHA1c99206c19c73d1c8552fd1845bbf1979e9bc52ce
SHA256c8dcea937316ccbbf81041b18d63e6ce5d5a5f88ebf81f522f723b92dc1803de
SHA512dff7db97f20235eb9d6b5eefa41a16d83b0e7c066747efeb1afc9c6bdf288ca6d285c052e5122dd9a6fabdf2f0a895e63039632137c2bf43ad15fab2648a9034
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_sv.dllFilesize
40KB
MD539f7b88d687a8d6ab336031c149beb76
SHA1e4c6e9418ee5cc0d66b4cd03cd148d8c1a1bdd49
SHA256e56df56216f9dd0be70fcf5476d59c54219263ff4735121cda4516075dcca95e
SHA512ce16adac7dbdaf293ab4bcf29398750588c589159cc78c17532f21247e2a3a99e9c25bb10fd3df455fe94bfbba334bf7a2aa87477b7f5ac15e565e1d91c36d29
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_sw.dllFilesize
41KB
MD57ecce68dde93b9c3192426ad14f3c125
SHA187b4593c8c70f192e1479d0577f13d0e00f31a3b
SHA256823f10c05156a7e70a3a067a0c251e62d0a5afb462cfcdd5d80f8323310bfba0
SHA512f709e0956b1eaafcf157f10e46c7543c039742d184930b8a4943510bee3c4a8d62ebabf11ebd1c57a231ef82ab138cf2f3bba13900612e70e9af5677c7a4e0a8
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_ta.dllFilesize
41KB
MD5058431a076103b070d0712723dabd9b3
SHA11a7887ff21a1b592464591c952611d9e1466339b
SHA25673387fa549ac49b37fee3a055425d268e6c42c28790c2229ef6a5af77f86762c
SHA51298eefe27c4c13b7a2f574bf1d6ad337051a61dbfd30b9952df612c0e0b7b8263766eb1eea49f7d7da7841172a1643beacfa2824118f22bdad3eab588e1426857
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_te.dllFilesize
41KB
MD5b947f307800156b11c1ecaaa77aa2a89
SHA14c7442849b2c4b036cc91e5818a588173ba651bb
SHA2562ed78b27397cc0ebe44e5759a85770206bb84d2c3ff9678f95ebe17eaa5ad81f
SHA512a791b4b6088f95d2ddae0a5a7a5004d3d6cae2a17ab7cc116dbc7cbd005fa990dc04f09ead9096d1ca04c3add02bf5245d6805e3a5688a3f7a0b37bc9d2fd2fd
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_th.dllFilesize
38KB
MD5d328c70c4f489313265e396086dda43a
SHA169e6db8e0fc55bbb361e6647dda57292fc79e877
SHA2560157951bc034829cd87f08a486b7634861246133c2718665dd408bcef935b7c8
SHA512db82be5252200438ca4acc55809e29d5b098b8580147fe16aa1defe8e36058381602f8026e6e412e765941f5d1c7650ae611af623c00d835d1e107c287af8a73
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_tr.dllFilesize
40KB
MD5a2a7f16ad5b842bb78be30f1192ee353
SHA1f86e301e6bce748e712fdf466d5b4472942d7005
SHA256416843d52929df9513f2317bf71e50688f6473a090f6bf29194814557ec227bb
SHA5122cc75aac0581b644f5b00858237f956084e5f633bf629204cb184ac4520754304c10cc2adaadd66ee27750193fe1c1f49966b2aef59c80fd86eb1dcd144e85cd
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_uk.dllFilesize
39KB
MD5b13f048d65cc8c623d9f96e84574c3de
SHA1b1d7479427cf3cc3f1aaad93aabf12e87fdb10d7
SHA25666f737b68940888974937cb23380fd165e07bb666424f8a87dc0a261fca60729
SHA512b8667b74dc9437eecd516de226b870e3b4a02affa2a47fd90b5bdc6f57cf960f530bfc63ff3e00d5beef07af85554ebcaa42544fee91a229aea531885165e2ba
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_ur.dllFilesize
39KB
MD545967d9a98b0936b5c74cd6bdd06437a
SHA1687be3316863622a99475d9cbd9731c11d4e371e
SHA256f9537c443e402df36ef17fa888aed4328dde46c12739e1c3a07c13f4e0219fa6
SHA512ab92d767027120bad7865ba3a877e5510522ea62cc2cb1c48812ffed0f45d7aec25db74eb1348cb04826af6bb99183a60dfc1717469963245b60f23c0717b191
-
C:\Program Files (x86)\GUM964.tmp\goopdateres_vi.dllFilesize
39KB
MD55874bb0f7baa6879d86b5ae468f4391f
SHA1dd4b3da86a5c7916e3f64d69db41fcf0799c254f
SHA2567e39a4ece3d3bbbb269d4d56c6e20a4ac65ace0c5834e7df94740cbc5aae9ecb
SHA512b35e5f6581b248ba1e9b1a2464990bb5b623c800bcf83e5869c6c501dc2109fd19f682289ca9dfa95a2b6fb8faa2f61404fb25a36b9d847d4aefeaff404425f7
-
C:\ProgramData\CheckPoint\ZANG\Logs\Install\DropInstaller.logFilesize
1KB
MD5660307df6077c0c8421879edff4506b0
SHA1cfb84f657f189a99d1a3c034dc35c0fdabc2e08c
SHA256c31d5e12e06a5546d0a74293ecb486b22ad467c779c8cf6423623a1381cadf2d
SHA512aa8e78873b54fce1cea2461fa988d1efc81e1e37036a7bf1cc1df85677f5536e89e81a9d365c04d5181557a3b625c1514fcdac1bb13adc4a8e0aea88867546ce
-
C:\ProgramData\CheckPoint\ZANG\Logs\Install\DropInstaller.logFilesize
2KB
MD516daddee3bf7b2dad4fd594c70fd1f36
SHA176208df2a2912c2a1bf7c68e406cf3dc1c4e0b78
SHA256720315bcffa68dfa1a363ee5be3d9b68e7ea9dc3b4f79bb4b3f3b41bf20aa40e
SHA512435f013e8e7e907a399387bca3af18f4af226216fbdee9026cc57963173bcc37b455c808141c425b911eca7c68be336b31c7aa4c30a7c3f5a07ba316b94af0c1
-
C:\Users\Admin\AppData\Local\Temp\CabFD63.tmpFilesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
C:\Users\Admin\AppData\Local\Temp\TarFEBD.tmpFilesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
C:\Users\Admin\AppData\Local\Temp\nseF691.tmp\InstUtil.dllFilesize
971KB
MD59d7cf0a974623547f0dc35a9bc3083d3
SHA151598c917dab8a1fd1dfba8dd97f629bddf1a953
SHA256ffc9a0f222c59e1685f750e0cd6053f13315ccaf3434d95e1f04b18255d39099
SHA512afedc9230ce913754e9fe0303fb17aa6dec8116b245418a24a65863a61e24ed4c55d78d2011da22620ea7942046a0b931ddf0fa6717c77063ffec8bd9f7d1cb6
-
C:\Users\Admin\AppData\Local\Temp\nseF691.tmp\StdUtils.dllFilesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
C:\Users\Admin\AppData\Local\Temp\nseF691.tmp\System.dllFilesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
C:\Users\Admin\AppData\Local\Temp\nseF691.tmp\dltel.exeFilesize
890KB
MD5444a40b863e25043a318c74f7294d3eb
SHA13b460251c7043511e4633e92450f25b9f573ba28
SHA2569d03adf355458d50c6444a1fb7618f1e22121fd133c4c1fd2478d2b4516b04e2
SHA51207a00729bc866e10e412c1940f438cb7189b054df23a289a1f9d8f8e493ba32734a24e0a5be432f803981d219703875b539b4c8688cde423570898c2ccc494e5
-
C:\Users\Admin\AppData\Local\Temp\nseF691.tmp\nsExec.dllFilesize
6KB
MD5ec0504e6b8a11d5aad43b296beeb84b2
SHA191b5ce085130c8c7194d66b2439ec9e1c206497c
SHA2565d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA5123f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57
-
\Program Files (x86)\GUM964.tmp\ZoneAlarmUpdate.exeFilesize
162KB
MD5e48a5f1635cad3870bcd52980d7d9ff0
SHA1070421cce834bea5ef13cd309c6cf22619c1b2b6
SHA256980b2466f65aad81ee76cfd5e3d2c434752fe5d2118b35919f112948486cafd3
SHA5121683376addb7229c5aff29983f180776b6e9d892fd55aeda7457dc8cb981144a2c9a7a9b27883a0a05a8c7a32b894996f3076f0aa57b7b798d4c787ada7fd99e
-
\Program Files (x86)\GUM964.tmp\goopdate.dllFilesize
1.7MB
MD5474db0ab6ca68165f911470457ebeaa8
SHA18ee5a40fc209bc9e042d80b2e39fb71b3f5cd8f6
SHA256e9c1679f31a088b3d6519caeb3d54d3bd92f3a0365357b31b0c0ae96914e8fdd
SHA512b3d489b7a4b3a3493837024f0972774d2f90021b3036df2056b110a180e21d535b08b080cb3499f4d17f5d0e79bde694e74a65384a0cc3724a53172020597371
-
\Program Files (x86)\GUM964.tmp\goopdateres_en.dllFilesize
46KB
MD51b94643c5700015c1a5c0ab1f41c84bb
SHA1ab55c7689c3350a0ddbf582ab6d5c179f02c94f8
SHA25610ee192914ffd099b2bd4fe72d9e10e49e664a401df809e3274bb7d117522a86
SHA512a9cdf2bc82d67736fd61ce03e268b959fdf3791442f521a927a51cfe8b6f7251fdf64154069bcf9cf451e5a1a9e8fcf7035cc00175c952fd958bc807647b7a56
-
\Program Files (x86)\GUM964.tmp\goopdateres_en.dllFilesize
46KB
MD51b94643c5700015c1a5c0ab1f41c84bb
SHA1ab55c7689c3350a0ddbf582ab6d5c179f02c94f8
SHA25610ee192914ffd099b2bd4fe72d9e10e49e664a401df809e3274bb7d117522a86
SHA512a9cdf2bc82d67736fd61ce03e268b959fdf3791442f521a927a51cfe8b6f7251fdf64154069bcf9cf451e5a1a9e8fcf7035cc00175c952fd958bc807647b7a56
-
memory/1704-344-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/1748-298-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/1928-475-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB