Malware Analysis Report

2025-01-18 21:46

Sample ID 240414-ze118sda64
Target ef74fd396eeef824295ab7e71b797661_JaffaCakes118
SHA256 126dccedaa7920ed15f0da5cc12df6c194a984b0209fe0b5e6726499db49fa23
Tags
adware persistence stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

126dccedaa7920ed15f0da5cc12df6c194a984b0209fe0b5e6726499db49fa23

Threat Level: Likely malicious

The file ef74fd396eeef824295ab7e71b797661_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware persistence stealer upx

Downloads MZ/PE file

Executes dropped EXE

Registers COM server for autorun

Checks computer location settings

UPX packed file

Loads dropped DLL

Adds Run key to start application

Blocklisted process makes network request

Enumerates connected drives

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-14 20:38

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 20:38

Reported

2024-04-14 20:41

Platform

win7-20240221-en

Max time kernel

148s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0045-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\"" C:\Windows\system32\msiexec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" C:\Windows\syswow64\MsiExec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\javaws.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\java.exe C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\java.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\javaw.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\WindowsAccessBridge-32.dll C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Java\jre7\bin\net.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Brisbane C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Tarawa C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\messages_de.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\splash.gif C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\javafx.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Jujuy C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Baghdad C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Tashkent C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Lord_Howe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Sofia C:\Windows\syswow64\MsiExec.exe N/A
File created C:\PROGRA~2\Zona\License_uk.rtf C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\accessibility.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Ushuaia C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Hovd C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Rangoon C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\MST7 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\charsets.jar C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\ext\access-bridge.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Cayenne C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Manaus C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Merida C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-13 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\messages.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy.pack C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Sakhalin C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\ffjcext.zip C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Andorra C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\PST8PDT C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\messages_fr.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\security\US_export_policy.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Bissau C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Madeira C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jp2native.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Accra C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Petersburg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-12 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\javafx-iio.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jdwp.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Maceio C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Whitehorse C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Khandyga C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Anadyr C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\javacpl.cpl C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\javaw.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\WindowsAccessBridge-32.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Edmonton C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Goose_Bay C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\La_Paz C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Saipan C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\libxml2.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\management-agent.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Scoresbysund C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-2 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Chisinau C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Pitcairn C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jsoundds.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\security\javafx.policy C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\security\javaws.policy C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Shanghai C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\w2k_lsa_auth.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Bahia C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f76def5.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76deea.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76deed.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI597.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE5B8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76def0.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76def3.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE60B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76deea.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICE9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76deed.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI170A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76def3.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI195E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76deef.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76def0.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\msiexec.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\msiexec.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "38849540" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" C:\Windows\syswow64\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_57" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_05" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_39" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_06" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_17" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\InProcServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 2212 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 2212 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 2212 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 2212 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe
PID 2212 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe
PID 2212 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe
PID 2212 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe
PID 2212 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe
PID 2212 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe
PID 2212 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe
PID 2456 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
PID 2456 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
PID 2456 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
PID 2456 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
PID 2456 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
PID 2456 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
PID 2456 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
PID 568 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 568 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 568 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 568 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 568 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 568 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 568 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2004 wrote to memory of 1476 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2004 wrote to memory of 1476 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2004 wrote to memory of 1476 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2004 wrote to memory of 1476 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2004 wrote to memory of 1476 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2004 wrote to memory of 1476 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2004 wrote to memory of 1476 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2004 wrote to memory of 1760 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2004 wrote to memory of 1760 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2004 wrote to memory of 1760 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2004 wrote to memory of 1760 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2004 wrote to memory of 1760 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2004 wrote to memory of 1760 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2004 wrote to memory of 1760 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1760 wrote to memory of 2604 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2604 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2604 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2604 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2968 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2968 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2968 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2968 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2680 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2680 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2680 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2680 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2064 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2064 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2064 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2064 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2468 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2468 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2468 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2468 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2492 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2492 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2492 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2492 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1760 wrote to memory of 2668 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe"

C:\Windows\SysWOW64\cscript.exe

cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs

C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"

C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe

"C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A3DF7D81F5A886DDD09FDC99170E0F52

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 24DB498CDBF42427CE209154B2810583 M Global\MSI0000

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump

C:\Program Files (x86)\Java\jre7\bin\javaws.exe

"C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator

C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe

"C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\AU\au.msi" ALLUSERS=1 /qn

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 564617C7BB2B85CA513CA45BE14D5FC4

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.7.0_80-b15

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Roaming\Zona\tmp\18467Zona.7z" "C:\PROGRA~2\Zona" "C:\Users\Admin\AppData\Local\Temp\zonaErr_core_-564669418.log"

Network

Country Destination Domain Proto
US 8.8.8.8:53 stat.miniload.org udp
US 8.8.8.8:53 dl.zona.ru udp
RU 46.254.16.107:80 dl.zona.ru tcp
US 8.8.8.8:53 javadl-esd-secure.oracle.com udp
DE 23.212.218.110:443 javadl-esd-secure.oracle.com tcp
US 8.8.8.8:53 rps-svcs.sun.com udp
BE 23.14.90.97:80 rps-svcs.sun.com tcp
US 8.8.8.8:53 javadl.oracle.com udp
NO 104.110.22.225:80 javadl.oracle.com tcp
NO 104.110.22.225:443 javadl.oracle.com tcp
US 8.8.8.8:53 sjremetrics.java.com udp
IE 66.235.152.225:443 sjremetrics.java.com tcp
RU 46.254.16.107:80 dl.zona.ru tcp

Files

memory/2212-0-0x00000000010F0000-0x000000000117F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 b755d934b241b8da8ef3653afaf64c15
SHA1 7cfbfca7ef03224d14a7129526bb731d6b72e089
SHA256 45034d4195d8dcedaa92aeb70ca4d76e2aaca0394f71dd8545e92f111e031b38
SHA512 e02eebb64d6782ec00b059b59259a37875402a193299cdba4b751f5b5621f4f5ea06d0ae1b2b3da08a7877ab1f21954b4f1ea4272c62c377dc5880e30a26cb08

C:\Users\Admin\AppData\Local\Temp\hd.vbs

MD5 d8682d715a652f994dca50509fd09669
SHA1 bb03cf242964028b5d9183812ed8b04de9d55c6e
SHA256 4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba
SHA512 eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

memory/2212-38-0x0000000003730000-0x00000000037BF000-memory.dmp

memory/2456-41-0x00000000010F0000-0x000000000117F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 7b1f20c3449fc0be936856cc73e358c5
SHA1 c1b4d4f218f3e70750b0735797e8cd4641d0e413
SHA256 9640732dbe47c29347b0fe13a3ed8f7d444d3cf5dff026cbfe1d0a7d4bf8ab36
SHA512 775f6fde74816b00bf3ec931075b93ed63b04e6f2339ff7c2967c2ed005e35d9035e51bf0fdd45375b7a76f043bf9e39f23910e80383e2a1361cbe766d267b64

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 f54d8546ddd69014dd3531f00862e7dc
SHA1 446a20f47da1c1a27895334e64f9c8ec6ff01e4d
SHA256 005fc4143fb9cf9466d0237a2afd041315ff29405cc5bb33793a35f1dc2a8f10
SHA512 a8bbdcd60049a3d8631b08d6854bc7ef8dbff92170ef43aa9033f55fdeb97343701b71ff9e95c99bb57c9039e2ab836832c02d45d2a24c9c67ae45570438cd72

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 538099454c3a15000054fda0d26e5b69
SHA1 e78717c499f0bca369f375a31ae542ac7e7511e7
SHA256 a1baafb9f26427f3d6292dac3c1bfa17ff2e3a39f15fd4d890ed8abcb0ca7d6a
SHA512 9742380341d973223187dcc55eb2407e19c97010dfd2a5f6106b0f098a785fb95d7bce45e6a7bf0e5e99e97d61b9fb222b96f0d967a4e967aadec8a7ed9d8fa3

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 644924002cc85c6881f7d94ab2e5f243
SHA1 93fa2ede76822c30ebd67cd6e57ab1d7d01e46e5
SHA256 0ad8607b6afda1e12ab1d442f1ce7a16d06bbe7bf658a755238260bb465bf5d6
SHA512 dfc33080cd6700fce126831eda7c1bdc2778ef89b42cb8edeeefdf2d021cceb6b8be96a95857ef1d4d107cc2ef8a595dab41a29b18c6accc6bea9b29f7c2e27e

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 0c06aec236b85e4aeaf63dd6f1954569
SHA1 63a518b44c1caeaac83038e7f04b6afcf1fe15a7
SHA256 ec690c8cc4991e5d847511f145fbb29fe509c4f9fae6372edad300170ae5533e
SHA512 012446ff86073b2eb1a9184dc57ce872c46a859a5c12aed96af4f463add65a55446a6171905a5870f9778e3b0ab91eeff8b15452c9ff69f2ca0f66ec5fc26435

memory/2212-83-0x00000000010F0000-0x000000000117F000-memory.dmp

memory/2456-87-0x00000000010F0000-0x000000000117F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 b751b89c9ebcf2a5884a63631043929d
SHA1 727ba2010bb4650793c370c46fb254d4924fbb66
SHA256 91d441c16d4980da722562b7d7199ec190000c487ce3430f07415b9b1816d72b
SHA512 487a7df3853c48935c4e7cd820c139c1af14c0f50215d7c89b157005eded1afa08daeb1a892e92764d80ae630d753d666a7fa948f30fa65046eb129e0f810ce9

C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe

MD5 f2fd417b6d5c7ffc501c7632cc811c3e
SHA1 305c1493fca53ab63ba1686c9afdfb65142e59d3
SHA256 a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9
SHA512 289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b

memory/2212-103-0x0000000003730000-0x00000000037BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 504f0d907b4f3cf40b57b3da7f897cf2
SHA1 8f2e96b10d269e4bb227cc78898632b753916f85
SHA256 ea33adc441a6310cf43fbf30927a97c0ec0c4296cc9d9df4cbc47969777893fa
SHA512 5f0ec7cc768b01cc8ab2d0b7bf439c242853ecfddc16ed2a96824edc31a5281d49b3a419e1a4a9fb3ec543ce9e82f2bada7011f4f3f77709ad65877b896ecdac

memory/2212-123-0x0000000003730000-0x00000000037BF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi

MD5 e24d9b483ce7a3a6a4406111883457f7
SHA1 0d5efff0d110c48f5e6f5d438967427f1e2dbf84
SHA256 dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c
SHA512 b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0735423031a97c0af56c38d183fdd6bf
SHA1 3996582a9a5564f640f261c8e7a8221e00f64b76
SHA256 40feddff3d55edba3aa437fe8dbd9f6bca61905067dcbf48b5f42a6e794ade20
SHA512 55979e01f0d249952abb711972894d241cfa28d12fe58119e2aa7a9c2c0bc2594fefb9d61fc610720264240837f79cff4636bf7fec970a62ce06643cd9f54cf9

C:\Users\Admin\AppData\Local\Temp\CabDF28.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarE0C5.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Windows\Installer\MSIE5B8.tmp

MD5 9f84d910602183954bed6d9660600783
SHA1 82e3b122dc63e0a333bca531dd16667d5fafbf23
SHA256 bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e
SHA512 09fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 cbabaeb3a5f40e68aa33771a367cef1b
SHA1 27d575971cf667da9a0214538cfca5935145e885
SHA256 0ee5ae282d55e0874aa68a1828336b390aaffd2c858aec76d861e7608bac8ce0
SHA512 a66133271b5041bd6efc349d895c13bca4bfb8d7462f76933b260c6f23c8bf88d1b3adbdb5c54291743ba91fd34060324d44a6cd58876c5507e562497e55df1f

C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\Data1.cab

MD5 003a488a2139105704566b47eb29520d
SHA1 52d672a592cd52ad5e2e7239421f2659e0d17afa
SHA256 a84262dd486cf59049d0d2d9a1b00dfb5aa5271592edd8de0e052f12496dec67
SHA512 ab34061f8e04bb1d59f1b35e0e1848a176f2b119095e79015130da3a4384c70fa35ecbe1625e07c0eb0de49c67bcdbba59f10fa1dfbbb2066dcb6ee6825215de

C:\Program Files (x86)\Java\jre7\core.zip

MD5 84ca7053c19a77354a440583a89b6bde
SHA1 c64fbc5986c9c2b3e3ef49dbdd2c0c02f7be4742
SHA256 2f04931188f5a292cb2ae041db0b0ef3f603b2d4d58634d18353a682b58c6869
SHA512 0722beffe0423d28bc7ab56477f31fbdd4e0ef2e2640e229704907c33c1d2e2406f301a24ba4f2e3d7aed4b229d3b031bb752bf2f258147a54f7ae43453115d1

\Program Files (x86)\Java\jre7\bin\unpack200.exe

MD5 0d46182b6134aa9c7acd16133d67e4c3
SHA1 7b5be3d65e5e744723bf55a08f9dc1042585d5eb
SHA256 c89091f2a4de2fcf10b30e54a74ec5764e2dfc0577f4f1d879ac8816e3b08bcc
SHA512 735b6c6bd69b22a71c15ae44c6fa1693700321dc3b4b2367ce05d5c37df62e45d1d3836c2c0f5e44be1036aeb11a533c2a4dbec55163b4a15adfa1c8ef75673b

C:\Program Files (x86)\Java\jre7\bin\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Program Files (x86)\Java\jre7\lib\rt.pack

MD5 b6d75e8c90c79af1579769f10b1e5c88
SHA1 146cb3f05fa161885e8faf079fa2bbd89b5c5b18
SHA256 82dc6806d9ec9eb16604f90a5c78d0d882b69a0e718d8f6c3c6b7c9719887b7e
SHA512 02cdd0c0d6e71bc09120db2cd3b9471c0176567d92bb74a08c13e82c1d23722eb4afac41583a11dee3fc531fd442754ee0f5cb964898ec036ddd432947996037

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 6a86e8d216a77baa9084e18e231204a6
SHA1 6c1e488a58c0776519fb5eb4161d0f929aecb188
SHA256 49c96e06d4d875bd04d6dba41567347e0ca43f712b54dfcb240bbf8da12506d3
SHA512 6c4dddca4bcad858ff042a9f15da6226cf8c4a7c84215a1cba8b6625ef192d74451fb11a9ceb6c5a6450b71fec24c69d404505717c008c9009ca8e0a8a57c37e

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 5da1b3686b8239c4278b11288b0b441d
SHA1 fde3ebc5be1347693b9a66877f78d40929383ff8
SHA256 c2e1e432f32ceaef9be282ed1216275604f03a9fc514781161eaa89c32046f56
SHA512 a5a118bc340169f36c7b69a1d5e20b23be6132be6926664d67839357c40ac7a9337014a9aa570b72f3f3ce816a3b003915516effb764ac00f3959a75a9d05b1d

C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

MD5 b8fb107bd13db98220f268c8934f9966
SHA1 9ae449edd077dbe9fc765619a318359a03284b18
SHA256 54319cb0aa82dc67dffada8af6e5fdb235b0c27575f4c7ddfe7a6f834243d3eb
SHA512 af996421da8f6655c62693db73770777b981334e368c0a288b8e7ba5dc20577adc7605336cb0a1d65ae41f0e4cae09e572ccf657c9c35aed679b0ccf17e1941d

C:\Program Files (x86)\Java\jre7\lib\charsets.pack

MD5 549bbcd204914b543dafee670f110834
SHA1 012461935191a55482e8c3d453d245e965a10a2a
SHA256 8ea5af036ec067a0abcf87b8f5921e2281ff9d259e1d4c3bbe7fa9037cd87d02
SHA512 b0346a2ec52ce47351286f27f347f5fea99e160aedde52bcf74e1629739704bd975c9c99d8db6be3b6bd45e7fa933616fa081eda49e9b911efcc031c7241400e

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 a4a7a1bb494c3808f6c61b7a016b0e1b
SHA1 78c93a6cb226ae9fec29eb5727737b88457c09ad
SHA256 415da94b6e737947ad017a683a71fa1ab41229ae062f46e18ad8b427dc63b6b9
SHA512 9cf5f993f137024edfe2c35186beaffd891cfc8122d527a95cc42eb098026766ae35f2c53625f50b4821f54b055f21dbe99e6da3dc4c08ffa49419b58553be93

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 95b6db47d83e1c43fe0a6dfa89b6cf4c
SHA1 ce67c5f379dca2775815dba04875bee40dcc8c14
SHA256 c3fccdfe60a45a816f9389a8ed5678862bb151d10d58d5ed7275a7d0e3714388
SHA512 4c9df5f9d618bb0d6827ff187b0f7ba1bc7b17fb34635a84a37353837b5afc6c0c4ff0c913608edb6ec478c540d79084fe2aaa15f45628ab4a53938a223dbbe6

C:\Program Files (x86)\Java\jre7\lib\javaws.pack

MD5 491bce42c6cd8af88a2e11f37711ed4f
SHA1 3de7c18fee44465a6afe34e068f2a64dea9fa324
SHA256 ee43869ee94eefe241d661101ff6a03cc276f8e558967b1b350ea088f1dad2e2
SHA512 1e5f99466b77b5a82c23449434272acf5746811ef96b98105f89b3339ccd86734d7713c94b773755219345d673a761a356fbe846a38e7893bd8894e43cf102e4

C:\Program Files (x86)\Java\jre7\lib\deploy.pack

MD5 b2a448112b7c886ccce9b6a3d5efd8a0
SHA1 660bc9efe960015b208a421b1a63443e7151024f
SHA256 928f6b847f94b920c462a08c43f0dfd3f7c40076b1cd60545523a5c27a4870ca
SHA512 871da63f4eaf16d77ba6c19c10d8ddd8e94f744c20a70e24793f837023d20e56698d85f67498bc06ec37b73a8f376c220afbe7f3884b00536b710ff49c339b3f

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 5b2120b15b094ab218e799bfff61dc14
SHA1 e28431d7b6e4b553a5d1d16ec3b8f97e4c99e3e9
SHA256 890825362b7fc3c0d04d28220a0448db13ed45caf20fb07e24cad7cfc89b8af5
SHA512 9e7938223631f324d5b7729f0957a9369d864df6d1ef8075419c626b5873e81a39775cb6a2e1a08d8da66b3f444f2eb6699c6b9dee076fdb2a8feacc590eb49b

C:\Program Files (x86)\Java\jre7\lib\plugin.pack

MD5 47d6cfa1b01a6d41885504bbc3b1919a
SHA1 3838060f9d530c972d65f36fa38b265120a218aa
SHA256 93defaaf7f82e2e9565b27dd31a41c89e02d1b7719d0da0b940a55dcc75b91e5
SHA512 b0df9b174624234aaeb2b50cf611f698377925a0ae5c5ee9da46c65fcecf4d28941d1bf2332316d9327981c1f8c6c4fecf750e013f04eef63f5df52d27593135

C:\Program Files (x86)\Java\jre7\lib\jsse.pack

MD5 31b4d9c29d29567b0ae3037fac9fbdc6
SHA1 8b5d1b1a309177466d71a742414d441f600ea38e
SHA256 9f031f2f1292bb311c400b0a93a11b78a08f013332b1263ea58617b6548862eb
SHA512 b4a8a3a1e837f98a3164e19a6fe939819eb336892335de975822890b52b5923d85fee4c4e5464ccb0d46c847f37f7da98a839aadbf4d20fca355f396a53836c0

C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack

MD5 c8dc1cfeaf0fefc39ed0f1de4eaa175c
SHA1 11cacbb9e5724d37789455de37a225d8e0c648a1
SHA256 da2803a283d28882182e1e280b4f25ee1579a5805e73fcc9882e63968f102a8f
SHA512 6b419ba94ae90f8caa3a57690f2ec7e249c9fb8ab86819439621cde1243c7636ee76820622ce32ed483ce76976f7ced74778898fc2725b1a2407b039fb53508c

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 2b86d39053fc6e56bd766e03b26a52c0
SHA1 ef3dc18b0959019ac4501feb955921fb0053907f
SHA256 a0c4e58373a32071c13ea9d822f62773b50746a310cd371e425a2156963e0548
SHA512 b156b87ba767de35d4be1738eebd393fc584c2294f529834f20d63d5179c6b198925c68b94af63243bc667fd5f87792886af2225c1f3d7933e311b75ad1bc173

C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack

MD5 dfaa6429468d56ef77932cf26a495f75
SHA1 8a21a29225640f1829ae328a24ef9cb5e215a4e0
SHA256 8c481a549acfa58b1bac0385906febe33a928d004a529fec505b6a9228678fed
SHA512 6c19ed573b111315648de0646441486729b304452c15b2282938460a2339db0be4e1eb19cf6f2bf17f73037811ca2553a15957ea96b9d9af64a93045407c1148

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 3c4b63322747b8629dcbae0bfc1c66fd
SHA1 7c92e0a9f8f14596bc66c7d252a86288b53a37f1
SHA256 45aa6cd6a8ace25046fa887caaf093d5b9287c552d7c2a774c06af5c03be1cde
SHA512 c841fcdfa544a20e6c5f4529ced36ac2f4bda178f53f8d96c7704436295a8929b0ef0fbd7ae0f90a3282efe6802c3fe25183fcb2f1ee6d1412e3bd2461c0db0a

\Program Files (x86)\Java\jre7\bin\javaw.exe

MD5 64e2bb67ea740860510dcc5c2b6ffa2d
SHA1 6c5996358264624cdb4a075acc4f0b46177cd259
SHA256 844ab2231f45fad60d81770ea36d9937da9aa72cd905ce06e7471ddf9d69263b
SHA512 ed24331883ada44d8b034f5c8bc458e53234109d5cd02a27989972033f5b3305d23365106ce80be81caa16e472c14c103e457a1e0d138eb0d95036e58d877462

\Program Files (x86)\Java\jre7\bin\java.dll

MD5 a258a133f7d565600647a248ab95792c
SHA1 1c6a855ca1fc04413b906b0b17609eff38317161
SHA256 81ad5696a6fcad89127fc7a428636d431b446ff1ee0c37bf87e8d513a8bae7af
SHA512 bf9dd97947eb0c71243ae28255af54b06d9e17af7ade666538dd93f9fdf6d8fbc3855f48bfaf6522dbd9ce3c6cff655581f092709670606d033f2321b1f4a5e7

\Program Files (x86)\Java\jre7\bin\jpishare.dll

MD5 4cf2dff54d2e12e3ab637fcafa7d4c9d
SHA1 dcbd0a027b8017ac396741698dfc3b3f4d1b4c39
SHA256 8ff2bc130db2f1fef2e6470adb58bcdba1d2133f9ad21ebd7d80fedd3e537e21
SHA512 a206001ceaed2df91428f1b7094246e4e7318bf4e7b19c475d4887b5eae49714ff7fa3cfab4133004a51280cf36549b73eecc87428b0b38294297545e9493e67

C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg

MD5 5147cce789cd18ad6b2996eb89e5d866
SHA1 756f1fffe96ef581f0d4d47253523544c89a2622
SHA256 c471d622198461715f245d478484fc7c8de533313c56e922931a875460a5aa88
SHA512 55f53adb70b1cf741cdf0dee74d92d2bf4c96954a760afae289972a0ea9bb27bc5eb4df1bd41829c7c484211fcb294fe296a4d560d8a1cdbb8c707b3bf2a79a6

memory/436-950-0x0000000002650000-0x0000000004650000-memory.dmp

memory/436-951-0x0000000000130000-0x0000000000131000-memory.dmp

C:\Program Files (x86)\Java\jre7\bin\javaws.exe

MD5 2b4493bb1f94580c41def972ea9a887e
SHA1 880ca8b20c6df9a6a176b91cc50304cb0fe66d06
SHA256 841339373958786d9c93a7dad5de8fd213ed6b5ad69623f5a5762a453c48e0a5
SHA512 b43e54f2c1f3e0a3c3d2fcee518e47d17476bb735606351e41b49e97e10af758ea9a539ac370a2d12cffa93e3e752e829db969968664c59386f65b732c29e40e

C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll

MD5 bc3a575dfb1a58d35e8617f2966bf1ea
SHA1 6353630f62e246d7f462134e8d10a7a42935e20f
SHA256 c029fd3c6ffd2158d0633fc122786838a6f5d3cc7ef78bbe934697015c8c63dd
SHA512 c976da30d343f8e104bec72300dc0c17e582e380f0a3ae85b242dbf2d5b40459feb4a3b7789fb8d755b21cbaa0940038d20dbbf1296a48e77b461092abbbe514

memory/2312-975-0x000000003A200000-0x000000003A210000-memory.dmp

memory/2312-994-0x0000000001FF0000-0x0000000003FF0000-memory.dmp

memory/2312-1003-0x0000000001FF0000-0x0000000003FF0000-memory.dmp

memory/2312-1004-0x0000000002028000-0x0000000002030000-memory.dmp

memory/2312-1006-0x0000000002018000-0x0000000002020000-memory.dmp

memory/2312-1000-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2312-1009-0x0000000002020000-0x0000000002028000-memory.dmp

memory/2312-1008-0x0000000002080000-0x0000000002088000-memory.dmp

memory/2312-1015-0x0000000001FF0000-0x0000000003FF0000-memory.dmp

memory/2964-1026-0x00000000024D0000-0x00000000044D0000-memory.dmp

C:\Config.Msi\f76deee.rbs

MD5 2f2354d2096b8bb7ec6dfcd80ecd5578
SHA1 5d658b5e76acf1fe2c92f8c40b20f8ddcdf6dc2e
SHA256 12aec0199ecee8fec273a90455646da3ed025c28b6325ff231852f1c13465cdb
SHA512 8c7bf090d0eb5847a10ca49b9e177599d4332b2a4b06cf01bf267e782dbfcc290345cb30eba535ca2e48545a834c367e307019ad8932e584234f8b4379a07ae2

memory/2964-1032-0x0000000000270000-0x000000000027A000-memory.dmp

memory/2964-1044-0x0000000000270000-0x000000000027A000-memory.dmp

memory/2964-1053-0x00000000024D0000-0x00000000044D0000-memory.dmp

memory/2964-1058-0x00000000024D0000-0x00000000044D0000-memory.dmp

memory/2964-1081-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

MD5 bb0f8a788b43825591a811bb0edede8b
SHA1 dbdee504f82603698cbbd988d71cca5b7b7ffa20
SHA256 e35a8979ea3a79e4305b8a20baf2b2f757e7370a39002af2bae23f8f09885003
SHA512 2d862a9d6b4b60156843074dca44e2142ae283cb122c229e5a3bf48b519c0e58cfaf87af66219450a52e2648992b39618651d89541e8d7ddbc49c5eec8a41589

memory/2964-1086-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2964-1087-0x00000000024D0000-0x00000000044D0000-memory.dmp

memory/2964-1088-0x00000000024D0000-0x00000000044D0000-memory.dmp

memory/2964-1089-0x00000000024D0000-0x00000000044D0000-memory.dmp

memory/2964-1090-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2964-1091-0x00000000024D0000-0x00000000044D0000-memory.dmp

memory/2964-1092-0x00000000024D0000-0x00000000044D0000-memory.dmp

memory/2964-1094-0x00000000024D0000-0x00000000044D0000-memory.dmp

memory/2964-1096-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2964-1100-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2964-1105-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2964-1107-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2964-1109-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2964-1115-0x00000000024D0000-0x00000000044D0000-memory.dmp

memory/2964-1117-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2964-1120-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2964-1122-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2964-1126-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2964-1128-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Config.Msi\f76def4.rbs

MD5 5f18fd62ecb59d07f599ae3680426160
SHA1 9434bc6c72be02b25f388561e6e1e6072f97c993
SHA256 298359d5953875069c2edb96049aeacf1c45df40556cfeaded14952583d2bcf7
SHA512 a9eb6ca1a2d62ce74bea37da1b4f95cc3a94395f748153d9ce0c2f4fa03017368d41f77ee47fa79e366d1ee61b6a7fa5e86ce775e86edf30fa820b11c7c9a495

C:\Windows\Installer\f76def0.msi

MD5 55d7e66e49c3994eb5e1004a5efd22b1
SHA1 aa8a045dc0c161e95804f76efe27f1f572072fa8
SHA256 0a833d92b4d4aa068b0cb256b87c0d3495c3cc4a021be86c072095fee467b379
SHA512 2492ca442c4f6aab1f085a54bbbc1a95b836f033f1c8748fa6c3873997a397020baedfc1f661d751afe30ade3ab14b66a676a4731696b6c90c5c3adfa6c2bd2b

memory/1804-1204-0x0000000001F60000-0x0000000003F60000-memory.dmp

memory/1804-1206-0x0000000001F98000-0x0000000001FA0000-memory.dmp

memory/1804-1203-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1804-1209-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

memory/1804-1210-0x0000000001F90000-0x0000000001F98000-memory.dmp

memory/1804-1212-0x0000000001F60000-0x0000000003F60000-memory.dmp

memory/1804-1211-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

memory/1804-1213-0x0000000001F60000-0x0000000003F60000-memory.dmp

memory/2212-1220-0x00000000010F0000-0x000000000117F000-memory.dmp

memory/2312-1221-0x0000000001FF0000-0x0000000003FF0000-memory.dmp

memory/1804-1229-0x0000000001F60000-0x0000000003F60000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 20:38

Reported

2024-04-14 20:41

Platform

win10v2004-20240412-en

Max time kernel

161s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~2\Zona\utils.jar C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe N/A
File created C:\PROGRA~2\Zona\License_ru.rtf C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe N/A
File created C:\PROGRA~2\Zona\License_uk.rtf C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe N/A
File created C:\PROGRA~2\Zona\License_en.rtf C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e5a4382.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5a4382.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3708 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 3708 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 3708 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 3708 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe
PID 3708 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe
PID 3708 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe
PID 4240 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
PID 4240 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
PID 4240 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
PID 4212 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 4212 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 4212 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe"

C:\Windows\SysWOW64\cscript.exe

cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs

C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ef74fd396eeef824295ab7e71b797661_JaffaCakes118.exe" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"

C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe

"C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 stat.miniload.org udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 dl.zona.ru udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 46.254.16.107:80 dl.zona.ru tcp
US 8.8.8.8:53 107.16.254.46.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 stat.miniload.org udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 stat.miniload.org udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 javadl-esd-secure.oracle.com udp
DE 23.212.218.110:443 javadl-esd-secure.oracle.com tcp
US 8.8.8.8:53 110.218.212.23.in-addr.arpa udp
DE 23.212.218.110:443 javadl-esd-secure.oracle.com tcp
US 8.8.8.8:53 rps-svcs.sun.com udp
BE 23.14.90.97:80 rps-svcs.sun.com tcp
US 8.8.8.8:53 javadl.oracle.com udp
NO 104.110.22.225:80 javadl.oracle.com tcp
NO 104.110.22.225:443 javadl.oracle.com tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 225.22.110.104.in-addr.arpa udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp

Files

memory/3708-0-0x0000000000A80000-0x0000000000B0F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 a27cb7f7a68085e6173078a51883b127
SHA1 ad9f796d8e7f4b53d7ac81eee847a2092dac35ae
SHA256 57989df9be765e92886488830b0b6b652fd40dea1d6e67799ebd79028408d855
SHA512 3a260063231af81597b965d0d5b634a7786dabbdbfa7910b57db3fb4fbfc89c0ed615e919f133412bc1e0de335ced68bb2029c45875598cae5ed69a27752dac8

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 ee2841342bf656a44f7340882b41e16b
SHA1 4bc2d9ea14ecedd181aef5a498bbf18eb8dd5c5a
SHA256 3f3033468fe6246a8280c50cccbe471d28f2a1291723f31e620708cd56d80567
SHA512 25678a63502362f201a4f34e8de70baa555b4c23056199e706b94759b5f8466325cd0f45fc84f80ca0f3cf66778511a5de28f1fe2cb05499ee48c29dccb1ce1e

C:\Users\Admin\AppData\Local\Temp\hd.vbs

MD5 d8682d715a652f994dca50509fd09669
SHA1 bb03cf242964028b5d9183812ed8b04de9d55c6e
SHA256 4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba
SHA512 eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

memory/3708-29-0x0000000000A80000-0x0000000000B0F000-memory.dmp

memory/3708-41-0x0000000000A80000-0x0000000000B0F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 24dd5cbd8235bb0b6d207fc18bf7304d
SHA1 5098683efa9b324fd0dfd00d1a6982223bd3888e
SHA256 5d120a3fbd146df2b895a3ab0f0b3fa07ccb6cfce6c29321539a426b7933bbd1
SHA512 a0651c99d3cb5da58e8164803caf3936fa45b97e91c31635311b605629bb297ea399b181c21e5119fe401a53e1f5aeabc6e3c9f37b64189f532702930fd0c2c3

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 2da9ef05441010fae2fb3bb46363c8c5
SHA1 6c3622dcbec06d5a989daf87a955f89eb4091c22
SHA256 db17e443c83e7513a0cd3209658b677215a6876595b4b2a4be6ea6bfa3646f1e
SHA512 bc199b9e5765aefaaefa3a115f29224dd63aacc74281635663085b8b58b03f84c3ac47cdd7105a209302ff17332edf05c47fcdeab179d7c7411b042283a655e9

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 bb3664052254b8c1d9ad2a71d6e4a40d
SHA1 2474d6cd03febbfd1050143ed7b81b4684dd00f5
SHA256 e021462f9009291e1263e07a021f328eb3a8894d324e134da590723452c93698
SHA512 cb107f3ffb6c946bc6073161a8fbb0a23a27720140a9618f20e92ec14a1e5f58fe2d739b697e7369aecd73762259a544c19950980765276f1fb826dd47ba4686

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 e64c7817d30accb969b9923f4b4468e0
SHA1 c9947e9476df916c91c593c5fdb76302d32daf1b
SHA256 df41273b2681e9a4031ace53ca6fa4027662bace4b4b1932cd49cb64d6f6bbbf
SHA512 168aceb9c166af951acc535c89e55c0c2c89ab2917ac1f82cd747f468d0f2843bdec86c00a6fc8ae3a1e2f29a9f4365327dbc7e26856a8388e16b3f10c5184e4

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 24333adcec4619b7e3861b799d044a53
SHA1 acaf880e987994bfc51469612aff9e557d82a320
SHA256 4d8ca7f46db69ef266e8a3f747e83976de8b7b5c817f5b98ce3a3b5691289dd2
SHA512 256d94daaa5b9386e7160c6779c32c669716dc2d9aa9e53d15e7d3109db53160a5732e78064bb50181ff5c60475cae62c2da1c3c583edfe3d692a22c2fd3b678

memory/3708-83-0x0000000000A80000-0x0000000000B0F000-memory.dmp

memory/4240-87-0x0000000000A80000-0x0000000000B0F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 50f986152762d418830353872882cbef
SHA1 65401730fcd1269017f063f8d163f1dcc32fe242
SHA256 69620cfceb9f22c5b05177b229c748882e50994a28b7b3211eeb64690d520996
SHA512 bd81165a46444947fdb190ae9aa7f5b099459233e7d6a703a21f413fceae1f1d37b95af745ddbed13a3b6ff7d2d49a34ab52fdd821be836425cb6433acfda9e1

C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe

MD5 f2fd417b6d5c7ffc501c7632cc811c3e
SHA1 305c1493fca53ab63ba1686c9afdfb65142e59d3
SHA256 a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9
SHA512 289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b

C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi

MD5 e24d9b483ce7a3a6a4406111883457f7
SHA1 0d5efff0d110c48f5e6f5d438967427f1e2dbf84
SHA256 dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c
SHA512 b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398