Malware Analysis Report

2025-01-18 21:44

Sample ID 240415-nmyqasff4x
Target f0f4590178c4a113403f4443208baab0_JaffaCakes118
SHA256 0dac8dc377514354055690218d20c710c00359792716f2d4dc10d53397281b67
Tags
adware persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0dac8dc377514354055690218d20c710c00359792716f2d4dc10d53397281b67

Threat Level: Likely malicious

The file f0f4590178c4a113403f4443208baab0_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware persistence spyware stealer

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

Reads user/profile data of web browsers

Enumerates connected drives

Blocklisted process makes network request

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 11:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 11:31

Reported

2024-04-15 11:34

Platform

win7-20240221-en

Max time kernel

120s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0050-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0062-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0085-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0070-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Windows\syswow64\MsiExec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\java.exe C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\java.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\javaw.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\WindowsAccessBridge-32.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\javaws.exe C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Java\jre7\patchjre.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\awt.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\javafx-font.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\ext\sunjce_provider.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\MST7MDT C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\instrument.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\messages_ja.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Winnipeg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Aqtobe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+3 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Honolulu C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zona\License_uk.rtf C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Adelaide C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Darwin C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\JAWTAccessBridge-32.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jfxwebkit.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\security\local_policy.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Boa_Vista C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\COPYRIGHT C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jqs.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\policytool.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Boise C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Swift_Current C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+6 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Norfolk C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\YST9 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\axbridge.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\management-agent.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Jujuy C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Madeira C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Brisbane C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\charsets.pack C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\jvm.hprof.txt C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Mexico_City C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Yakutsk C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Guam C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\kinit.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\messages_zh_CN.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Chihuahua C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Chita C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Stanley C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Bougainville C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\java_crw_demo.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Fortaleza C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Godthab C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Jakarta C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Athens C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Wallis C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\JavaAccessBridge.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\zip.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\tzmappings C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Santa_Isabel C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Choibalsan C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Hovd C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Magadan C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Sydney C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Nauru C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Halifax C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Mazatlan C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Uzhgorod C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Vincennes C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Jamaica C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\London C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Wake C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f76ec33.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76ec33.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76ec36.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76ec38.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76ec36.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF590.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF8AC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFC75.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76ec39.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76ec39.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\msiexec.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\msiexec.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "8506828" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" C:\Windows\syswow64\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\javaw.exe\IsHostApp C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0034-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_67" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_40" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in 10.80.2" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\ = "&Launch" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_66" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_03" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_21" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_31" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0036-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_60" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_18" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0048-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_71" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0082-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_82" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\javaSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\javaSetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe
PID 2204 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe
PID 2204 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe
PID 2204 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe
PID 2204 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 2204 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 2204 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 2204 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 2948 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 2948 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 2948 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 2948 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 2948 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 2948 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 2948 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 472 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 472 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 472 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 472 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 472 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 472 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 472 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2268 wrote to memory of 1996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 1996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 1996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 1996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 1996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 1996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 1996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 2904 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 2904 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 2904 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 2904 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 2904 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 2904 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2268 wrote to memory of 2904 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2904 wrote to memory of 872 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 872 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 872 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 872 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 1604 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 1604 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 1604 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 1604 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2944 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2944 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2944 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2944 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2692 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2692 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2692 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2692 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2620 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2620 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2620 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2620 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2728 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2728 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2728 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2728 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2432 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2432 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2432 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 2904 wrote to memory of 2432 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe" /asService

C:\Windows\SysWOW64\cscript.exe

cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs

C:\Users\Admin\AppData\Local\Temp\javaSetup.exe

"C:\Users\Admin\AppData\Local\Temp\javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B63C7DE9386E17DE27A581120351425A

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B1D0D959D0D4DF2991F8ADBA00DB27E9 M Global\MSI0000

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump

C:\Program Files (x86)\Java\jre7\bin\javaws.exe

"C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator

C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe

"C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\AU\au.msi" ALLUSERS=1 /qn

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A3EAC11B24007FE122034DDBCAED0E31

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.7.0_80-b15

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" ru.megamakc.core.JavaVer

Network

Country Destination Domain Proto
US 8.8.8.8:53 i2.x8.net udp
US 8.8.8.8:53 zona.ru udp
RU 178.218.223.40:80 i2.x8.net tcp
NL 5.35.172.6:80 zona.ru tcp
US 8.8.8.8:53 w1.zona.pub udp
NL 5.35.170.40:443 w1.zona.pub tcp
US 8.8.8.8:53 stat.miniload.org udp
US 8.8.8.8:53 dl.zona.ru udp
RU 46.254.16.107:80 dl.zona.ru tcp
US 8.8.8.8:53 javadl-esd-secure.oracle.com udp
GB 104.103.251.196:443 javadl-esd-secure.oracle.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 rps-svcs.sun.com udp
BE 23.14.90.97:80 rps-svcs.sun.com tcp
US 8.8.8.8:53 javadl.oracle.com udp
NO 104.110.22.225:80 javadl.oracle.com tcp
NO 104.110.22.225:443 javadl.oracle.com tcp
US 8.8.8.8:53 sjremetrics.java.com udp
IE 66.235.152.156:443 sjremetrics.java.com tcp

Files

C:\Users\Admin\AppData\Roaming\Zona\init.xml

MD5 508525d6e4da0acd0af1578e36f3e882
SHA1 524df4ffb205cc7e32e3f3ecfad361d23cf074cb
SHA256 8fb7f52bce88163b210a71056540eb8fd5eb98695f7eb54966c78d9a676edb2d
SHA512 6be92f570d78d317df84f90b8aa8a1a2ad5df717848f9acc6d1567d054d86fb5e143f62a0adf0fd0c57df8d1569f282a8a1094a3eab66f6d02dd457ffd99b3ac

C:\Users\Admin\AppData\Local\Temp\hd.vbs

MD5 d8682d715a652f994dca50509fd09669
SHA1 bb03cf242964028b5d9183812ed8b04de9d55c6e
SHA256 4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba
SHA512 eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 57f4331662dd8f7b3a76af1f1aa943a9
SHA1 38be9b92e3b6515198f5c537088939698342e565
SHA256 420bc7c8178f0ccf0d80ddcba63a777d03ff23737afd3a9984354bf52dc24a7b
SHA512 2fd0ad356e7d0b4691bb66ec5092582812eec38e56c917ad8335d7a634393c4b652c618ac4a25376b20717d73acfb943cda341f3baa78e630cd0721f54b9a5de

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 019edf4da2a99a98a53e61431dc4b7f3
SHA1 50d6e4e8e124ff102c033fa5ff9564d389729db3
SHA256 c818129d6a4356173a1d676306604acd804f8381dee4759db6f3ea81f67e74fd
SHA512 f3cf1588cf5be60db3b57362625dc654749f53dda4b5c07a718adbaf7a88148bce42b87db054bed790da80f3e596b901fe8708267cad9a277a9c2a751ee44c09

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 413da4a08629aca44811cd33087a3408
SHA1 3053935912a58c64c8efa1eec46f1adf027546f4
SHA256 396a489ffc77f8bf0eeb01fabc76ba790ce88f3355709dc07c515fc151dc1984
SHA512 fc0cd601f06b19f893d5a754dfcd660a14d26af15262e387a1c85daa2c36d364f61e42f01cb519dd7cc34f8fbb97dbf87b2cd6d4ab07ae69e90160adb3e74d1a

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 9476dadbb61a673ddd5897493a97cd81
SHA1 c8c9588a123bf0f1ecf881fa8adb91aa24e867e6
SHA256 715977f0b347eeb46c05f10d62c07919d1e3e4d41cf3a04c705b026ef439f9fc
SHA512 9e9f307485e24c9a20fcbc36f0775a4e4e5d836b1136bceea1951a307376fd84be36a27be696004b513071bd4ac46c916bc087724a924b4bc3642b1041289ade

C:\Users\Admin\AppData\Local\Temp\javaSetup.exe

MD5 f2fd417b6d5c7ffc501c7632cc811c3e
SHA1 305c1493fca53ab63ba1686c9afdfb65142e59d3
SHA256 a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9
SHA512 289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2b41806d9be5c8ac8f28227a0720c84
SHA1 068672d0cc2278ad29a414a7712bd8b1adf4a4d0
SHA256 6297ab9e7bf06afeb64d85de887f000ad2250023f7977fc7dc38a32c8c3914fb
SHA512 7fe0d301ceb28b8f73f6534b980e58a88c5dd0297dbf0967ad71b4787f8a6107e84a06fe25e9e10c98dd1c02dcf068bacaa1bb3c7d9fc8906e0949f1beb97b1f

C:\Users\Admin\AppData\Local\Temp\CabDF96.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi

MD5 e24d9b483ce7a3a6a4406111883457f7
SHA1 0d5efff0d110c48f5e6f5d438967427f1e2dbf84
SHA256 dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c
SHA512 b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398

C:\Users\Admin\AppData\Local\Temp\TarEE27.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 1916d949ef394b0a54187cf759ea0c25
SHA1 90c5ce9ff4e15b9f9ca2ff18dc729abf89551233
SHA256 2523e5dd1c24ff0f8cb9a9a7187fd4a0cbc4d545c93133400fb7a645aa913ac8
SHA512 7814dbe0c3925a3256a4a7055f7d0e69979d2e16a04900bd07896616b08a7c05bf5144a724ba967a996f53b7c0fe194b1986448dac572d39107854040e189532

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarF08D.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Windows\Installer\MSIF590.tmp

MD5 9f84d910602183954bed6d9660600783
SHA1 82e3b122dc63e0a333bca531dd16667d5fafbf23
SHA256 bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e
SHA512 09fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 6ac3d4eddf72259449ad8a7eba6b0c55
SHA1 970e23f55ceeeb5f075999dde923cbb153a84862
SHA256 193790aa2b694adf85d2160bcc93e2149eb0897ae429aa027aa49fa5dfd35803
SHA512 6b6dd61973568a977d7fd122d94003f28b19bbbf3aa2c76bd2038e472a6aba1be6ae6676804f1b5e7611ceb380ea373e32919d5d873dd41f8049a564368c2d0a

C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\Data1.cab

MD5 003a488a2139105704566b47eb29520d
SHA1 52d672a592cd52ad5e2e7239421f2659e0d17afa
SHA256 a84262dd486cf59049d0d2d9a1b00dfb5aa5271592edd8de0e052f12496dec67
SHA512 ab34061f8e04bb1d59f1b35e0e1848a176f2b119095e79015130da3a4384c70fa35ecbe1625e07c0eb0de49c67bcdbba59f10fa1dfbbb2066dcb6ee6825215de

C:\Program Files (x86)\Java\jre7\core.zip

MD5 84ca7053c19a77354a440583a89b6bde
SHA1 c64fbc5986c9c2b3e3ef49dbdd2c0c02f7be4742
SHA256 2f04931188f5a292cb2ae041db0b0ef3f603b2d4d58634d18353a682b58c6869
SHA512 0722beffe0423d28bc7ab56477f31fbdd4e0ef2e2640e229704907c33c1d2e2406f301a24ba4f2e3d7aed4b229d3b031bb752bf2f258147a54f7ae43453115d1

\Program Files (x86)\Java\jre7\bin\unpack200.exe

MD5 0d46182b6134aa9c7acd16133d67e4c3
SHA1 7b5be3d65e5e744723bf55a08f9dc1042585d5eb
SHA256 c89091f2a4de2fcf10b30e54a74ec5764e2dfc0577f4f1d879ac8816e3b08bcc
SHA512 735b6c6bd69b22a71c15ae44c6fa1693700321dc3b4b2367ce05d5c37df62e45d1d3836c2c0f5e44be1036aeb11a533c2a4dbec55163b4a15adfa1c8ef75673b

C:\Program Files (x86)\Java\jre7\bin\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Program Files (x86)\Java\jre7\lib\rt.pack

MD5 b6d75e8c90c79af1579769f10b1e5c88
SHA1 146cb3f05fa161885e8faf079fa2bbd89b5c5b18
SHA256 82dc6806d9ec9eb16604f90a5c78d0d882b69a0e718d8f6c3c6b7c9719887b7e
SHA512 02cdd0c0d6e71bc09120db2cd3b9471c0176567d92bb74a08c13e82c1d23722eb4afac41583a11dee3fc531fd442754ee0f5cb964898ec036ddd432947996037

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 6a86e8d216a77baa9084e18e231204a6
SHA1 6c1e488a58c0776519fb5eb4161d0f929aecb188
SHA256 49c96e06d4d875bd04d6dba41567347e0ca43f712b54dfcb240bbf8da12506d3
SHA512 6c4dddca4bcad858ff042a9f15da6226cf8c4a7c84215a1cba8b6625ef192d74451fb11a9ceb6c5a6450b71fec24c69d404505717c008c9009ca8e0a8a57c37e

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 5da1b3686b8239c4278b11288b0b441d
SHA1 fde3ebc5be1347693b9a66877f78d40929383ff8
SHA256 c2e1e432f32ceaef9be282ed1216275604f03a9fc514781161eaa89c32046f56
SHA512 a5a118bc340169f36c7b69a1d5e20b23be6132be6926664d67839357c40ac7a9337014a9aa570b72f3f3ce816a3b003915516effb764ac00f3959a75a9d05b1d

C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

MD5 b8fb107bd13db98220f268c8934f9966
SHA1 9ae449edd077dbe9fc765619a318359a03284b18
SHA256 54319cb0aa82dc67dffada8af6e5fdb235b0c27575f4c7ddfe7a6f834243d3eb
SHA512 af996421da8f6655c62693db73770777b981334e368c0a288b8e7ba5dc20577adc7605336cb0a1d65ae41f0e4cae09e572ccf657c9c35aed679b0ccf17e1941d

C:\Program Files (x86)\Java\jre7\lib\charsets.pack

MD5 549bbcd204914b543dafee670f110834
SHA1 012461935191a55482e8c3d453d245e965a10a2a
SHA256 8ea5af036ec067a0abcf87b8f5921e2281ff9d259e1d4c3bbe7fa9037cd87d02
SHA512 b0346a2ec52ce47351286f27f347f5fea99e160aedde52bcf74e1629739704bd975c9c99d8db6be3b6bd45e7fa933616fa081eda49e9b911efcc031c7241400e

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 a256804cf7979b72a2e05766cdc6e6a4
SHA1 7318c80b4ff40c397a27cd2fce6c157bea503be6
SHA256 0ce92642049b8d6cd1925f5697eb4fd699594fc329d590fb482f9430a449c4a5
SHA512 8c8fd367f8e990ae1d291b66ae34efd76dc547e53d3e80b334ce00fc05a703c9a4316025426363106f614ecf64567bb98b918ab019ed084ba47e06f634c397f8

C:\Program Files (x86)\Java\jre7\lib\deploy.pack

MD5 b2a448112b7c886ccce9b6a3d5efd8a0
SHA1 660bc9efe960015b208a421b1a63443e7151024f
SHA256 928f6b847f94b920c462a08c43f0dfd3f7c40076b1cd60545523a5c27a4870ca
SHA512 871da63f4eaf16d77ba6c19c10d8ddd8e94f744c20a70e24793f837023d20e56698d85f67498bc06ec37b73a8f376c220afbe7f3884b00536b710ff49c339b3f

C:\Program Files (x86)\Java\jre7\lib\javaws.pack

MD5 491bce42c6cd8af88a2e11f37711ed4f
SHA1 3de7c18fee44465a6afe34e068f2a64dea9fa324
SHA256 ee43869ee94eefe241d661101ff6a03cc276f8e558967b1b350ea088f1dad2e2
SHA512 1e5f99466b77b5a82c23449434272acf5746811ef96b98105f89b3339ccd86734d7713c94b773755219345d673a761a356fbe846a38e7893bd8894e43cf102e4

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 95b6db47d83e1c43fe0a6dfa89b6cf4c
SHA1 ce67c5f379dca2775815dba04875bee40dcc8c14
SHA256 c3fccdfe60a45a816f9389a8ed5678862bb151d10d58d5ed7275a7d0e3714388
SHA512 4c9df5f9d618bb0d6827ff187b0f7ba1bc7b17fb34635a84a37353837b5afc6c0c4ff0c913608edb6ec478c540d79084fe2aaa15f45628ab4a53938a223dbbe6

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 b0949b14d1ae9196d12eaccaa0b62107
SHA1 4acd9a8d1411037d73667808f243572d2239c436
SHA256 295f8c8bb8e6a16f72874ca3bffdf21b7f4050cdab3bdc1bf055f6a86ce3ea95
SHA512 b25bcaa9dcb3491a98c799d3281fc88988fec2d6a50c2c127c89a5fea789ec657ab3da53ce54b3f1dd40d33c7f415935bc57b101c23b07d7298864c9047cc906

C:\Program Files (x86)\Java\jre7\lib\plugin.pack

MD5 47d6cfa1b01a6d41885504bbc3b1919a
SHA1 3838060f9d530c972d65f36fa38b265120a218aa
SHA256 93defaaf7f82e2e9565b27dd31a41c89e02d1b7719d0da0b940a55dcc75b91e5
SHA512 b0df9b174624234aaeb2b50cf611f698377925a0ae5c5ee9da46c65fcecf4d28941d1bf2332316d9327981c1f8c6c4fecf750e013f04eef63f5df52d27593135

C:\Program Files (x86)\Java\jre7\lib\jsse.pack

MD5 31b4d9c29d29567b0ae3037fac9fbdc6
SHA1 8b5d1b1a309177466d71a742414d441f600ea38e
SHA256 9f031f2f1292bb311c400b0a93a11b78a08f013332b1263ea58617b6548862eb
SHA512 b4a8a3a1e837f98a3164e19a6fe939819eb336892335de975822890b52b5923d85fee4c4e5464ccb0d46c847f37f7da98a839aadbf4d20fca355f396a53836c0

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 5b2120b15b094ab218e799bfff61dc14
SHA1 e28431d7b6e4b553a5d1d16ec3b8f97e4c99e3e9
SHA256 890825362b7fc3c0d04d28220a0448db13ed45caf20fb07e24cad7cfc89b8af5
SHA512 9e7938223631f324d5b7729f0957a9369d864df6d1ef8075419c626b5873e81a39775cb6a2e1a08d8da66b3f444f2eb6699c6b9dee076fdb2a8feacc590eb49b

C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack

MD5 c8dc1cfeaf0fefc39ed0f1de4eaa175c
SHA1 11cacbb9e5724d37789455de37a225d8e0c648a1
SHA256 da2803a283d28882182e1e280b4f25ee1579a5805e73fcc9882e63968f102a8f
SHA512 6b419ba94ae90f8caa3a57690f2ec7e249c9fb8ab86819439621cde1243c7636ee76820622ce32ed483ce76976f7ced74778898fc2725b1a2407b039fb53508c

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 2b86d39053fc6e56bd766e03b26a52c0
SHA1 ef3dc18b0959019ac4501feb955921fb0053907f
SHA256 a0c4e58373a32071c13ea9d822f62773b50746a310cd371e425a2156963e0548
SHA512 b156b87ba767de35d4be1738eebd393fc584c2294f529834f20d63d5179c6b198925c68b94af63243bc667fd5f87792886af2225c1f3d7933e311b75ad1bc173

C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack

MD5 dfaa6429468d56ef77932cf26a495f75
SHA1 8a21a29225640f1829ae328a24ef9cb5e215a4e0
SHA256 8c481a549acfa58b1bac0385906febe33a928d004a529fec505b6a9228678fed
SHA512 6c19ed573b111315648de0646441486729b304452c15b2282938460a2339db0be4e1eb19cf6f2bf17f73037811ca2553a15957ea96b9d9af64a93045407c1148

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 4ed82ebeba751d710bd945e7ba413b52
SHA1 b1ca69fa127d04d977e0a2044696f8536ce9a016
SHA256 e674997035ddd3fe5ddb701b267525818ada10e3ceb060d52bfc932a9e57e8cf
SHA512 d2134657dc36867eabb0b439a32618f5d61f0387550f0650b565cbf1352bec16f26f180030a31fdf671e897cd80a7a0946c75fc82909c0f9031f045df1f0449f

\Program Files (x86)\Java\jre7\bin\javaw.exe

MD5 64e2bb67ea740860510dcc5c2b6ffa2d
SHA1 6c5996358264624cdb4a075acc4f0b46177cd259
SHA256 844ab2231f45fad60d81770ea36d9937da9aa72cd905ce06e7471ddf9d69263b
SHA512 ed24331883ada44d8b034f5c8bc458e53234109d5cd02a27989972033f5b3305d23365106ce80be81caa16e472c14c103e457a1e0d138eb0d95036e58d877462

\Program Files (x86)\Java\jre7\bin\jpishare.dll

MD5 4cf2dff54d2e12e3ab637fcafa7d4c9d
SHA1 dcbd0a027b8017ac396741698dfc3b3f4d1b4c39
SHA256 8ff2bc130db2f1fef2e6470adb58bcdba1d2133f9ad21ebd7d80fedd3e537e21
SHA512 a206001ceaed2df91428f1b7094246e4e7318bf4e7b19c475d4887b5eae49714ff7fa3cfab4133004a51280cf36549b73eecc87428b0b38294297545e9493e67

\Program Files (x86)\Java\jre7\bin\java.dll

MD5 a258a133f7d565600647a248ab95792c
SHA1 1c6a855ca1fc04413b906b0b17609eff38317161
SHA256 81ad5696a6fcad89127fc7a428636d431b446ff1ee0c37bf87e8d513a8bae7af
SHA512 bf9dd97947eb0c71243ae28255af54b06d9e17af7ade666538dd93f9fdf6d8fbc3855f48bfaf6522dbd9ce3c6cff655581f092709670606d033f2321b1f4a5e7

C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg

MD5 5147cce789cd18ad6b2996eb89e5d866
SHA1 756f1fffe96ef581f0d4d47253523544c89a2622
SHA256 c471d622198461715f245d478484fc7c8de533313c56e922931a875460a5aa88
SHA512 55f53adb70b1cf741cdf0dee74d92d2bf4c96954a760afae289972a0ea9bb27bc5eb4df1bd41829c7c484211fcb294fe296a4d560d8a1cdbb8c707b3bf2a79a6

C:\Program Files (x86)\Java\jre7\bin\client\jvm.dll

MD5 27147e1e3faf9b5ccda882cd96f2a85c
SHA1 7103f60121727917f812bfc7cdff5347fc17cc8e
SHA256 500d359211ece211cf672de328345876f016fb4a476b2a03cbc3b8b89023ae1f
SHA512 0866c604911e243687e7fe721142eb882b19691c902736b59ba304933463d8c9154ecc319b91c9771cee8139e151cc2a2e960bc7a93ed97352cf5232a0964194

C:\Program Files (x86)\Java\jre7\bin\verify.dll

MD5 cb89b1d71061f5ec52468528ecc0b1fc
SHA1 6feb23a8b5719c8997de92c7da644807fcba8819
SHA256 87d8d59972e73700507c07cee8750b0053c6a0899410338722a00c2803d39ee6
SHA512 2ff0ed38c7f28eb7ea16f24a0841dfb3306c4fec48ded5fddec8c3140f1a425433a444fe6b6cc4c17b3a39841c8ab0c23d7c9525c119c1b9d6daac2c17a4e4b0

memory/876-908-0x0000000002810000-0x0000000004810000-memory.dmp

memory/876-907-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Program Files (x86)\Java\jre7\bin\javaws.exe

MD5 2b4493bb1f94580c41def972ea9a887e
SHA1 880ca8b20c6df9a6a176b91cc50304cb0fe66d06
SHA256 841339373958786d9c93a7dad5de8fd213ed6b5ad69623f5a5762a453c48e0a5
SHA512 b43e54f2c1f3e0a3c3d2fcee518e47d17476bb735606351e41b49e97e10af758ea9a539ac370a2d12cffa93e3e752e829db969968664c59386f65b732c29e40e

C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll

MD5 bc3a575dfb1a58d35e8617f2966bf1ea
SHA1 6353630f62e246d7f462134e8d10a7a42935e20f
SHA256 c029fd3c6ffd2158d0633fc122786838a6f5d3cc7ef78bbe934697015c8c63dd
SHA512 c976da30d343f8e104bec72300dc0c17e582e380f0a3ae85b242dbf2d5b40459feb4a3b7789fb8d755b21cbaa0940038d20dbbf1296a48e77b461092abbbe514

memory/1976-932-0x000000003A400000-0x000000003A410000-memory.dmp

memory/1976-938-0x0000000002810000-0x0000000004810000-memory.dmp

memory/1976-955-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1976-956-0x0000000002810000-0x0000000004810000-memory.dmp

memory/1976-957-0x0000000002848000-0x0000000002850000-memory.dmp

memory/1976-960-0x0000000002898000-0x00000000028A0000-memory.dmp

memory/1976-962-0x0000000002810000-0x0000000004810000-memory.dmp

memory/1976-961-0x00000000028A0000-0x00000000028A8000-memory.dmp

memory/1976-963-0x0000000002810000-0x0000000004810000-memory.dmp

C:\Config.Msi\f76ec37.rbs

MD5 d5a1373e66a6613228314b482954ce06
SHA1 7d48f1650ea319f65d5e663377cdff2166d41d2b
SHA256 1cad28a9d50a986676cb659659972d6697dabe82502d89fb038e8637d453c418
SHA512 ea2f0fcd3a48770d4b43ed71e93233616edd2b96dfcde8c22f796d91e80ecea0a4ff0d3626fcf5f3a4bf947ee9c546ddc362b32d77438b3d634abee01246cbe0

memory/1804-982-0x0000000002570000-0x0000000004570000-memory.dmp

memory/1804-997-0x0000000002570000-0x0000000004570000-memory.dmp

memory/1804-1010-0x0000000002570000-0x0000000004570000-memory.dmp

memory/1804-1012-0x0000000002570000-0x0000000004570000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

MD5 4ac8666d8d91e8399cabb97c4f8d148f
SHA1 87b3ff2b71d80618c5f6c74575b195f59993fbc6
SHA256 f77a4c6294a252d20f4d5c7ed614db073b2010635927a8d52eea62f59acbf02d
SHA512 83370efb21532562f18fbf6603d90fd98803f4d711153a0925a81afede8a53e3c49ca0864e838d3acd4caf3a12e90e5fb60f8b4c71d600845f703df0c26fcb1f

memory/1804-1031-0x0000000002570000-0x0000000004570000-memory.dmp

memory/1804-1032-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1804-1037-0x0000000002570000-0x0000000004570000-memory.dmp

memory/1804-1038-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1804-1039-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1804-1041-0x0000000000490000-0x000000000049A000-memory.dmp

memory/1804-1044-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1804-1045-0x0000000000490000-0x000000000049A000-memory.dmp

memory/1804-1049-0x0000000002570000-0x0000000004570000-memory.dmp

memory/1804-1048-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1804-1052-0x0000000002570000-0x0000000004570000-memory.dmp

memory/1804-1054-0x0000000002570000-0x0000000004570000-memory.dmp

memory/876-1057-0x0000000002810000-0x0000000004810000-memory.dmp

memory/1804-1059-0x0000000002570000-0x0000000004570000-memory.dmp

memory/1804-1063-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1804-1064-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1804-1069-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1976-1071-0x0000000002810000-0x0000000004810000-memory.dmp

C:\Config.Msi\f76ec3d.rbs

MD5 633527e2a2924e5e71755daf14de7f09
SHA1 70943aec4195bbc66904203a8116e139360ebd5f
SHA256 71e5e6d257d970c412c6334e4fd5e51e396ceb0c9459c685b79b7bf1bcaec0fe
SHA512 93624c56e011d8c67c953c7168ffe86be72e4909458ab912e354d9f0c09754163b2c5909ceb5b73adf0e06b22d56304086836de9e41e5ba43b47f9e4607a6708

C:\Windows\Installer\f76ec39.msi

MD5 55d7e66e49c3994eb5e1004a5efd22b1
SHA1 aa8a045dc0c161e95804f76efe27f1f572072fa8
SHA256 0a833d92b4d4aa068b0cb256b87c0d3495c3cc4a021be86c072095fee467b379
SHA512 2492ca442c4f6aab1f085a54bbbc1a95b836f033f1c8748fa6c3873997a397020baedfc1f661d751afe30ade3ab14b66a676a4731696b6c90c5c3adfa6c2bd2b

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 11:31

Reported

2024-04-15 11:34

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" C:\Windows\syswow64\MsiExec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\java.exe C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\java.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\javaw.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\WindowsAccessBridge-32.dll C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Zona\License_en.rtf C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\tzmappings C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\WET C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Auckland C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Norfolk C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Baku C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Brunei C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\jqs\jqs.conf C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaBrightRegular.ttf C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+5 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Istanbul C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Edmonton C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Antarctica\Macquarie C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Qatar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Cape_Verde C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Nassau C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Berlin C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Stockholm C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\client\Xusage.txt C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy.pack C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\javaws.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\HST C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Rankin_Inlet C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Swift_Current C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Kaliningrad C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\npoji610.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Campo_Grande C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Tallinn C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Tashkent C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Pago_Pago C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\verify.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Noronha C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Pangnirtung C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Pontianak C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Karachi C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+6 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\ext\access-bridge.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Tucuman C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Knox C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\North_Dakota\Beulah C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Hebron C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Uzhgorod C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\JdbcOdbc.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\ssvagent.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\splash.gif C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Sitka C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\CET C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+8 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Reunion C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\java_crw_demo.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Tegucigalpa C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Qyzylorda C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Lagos C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jfr.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\kcms.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\cmm\PYCC.pf C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaSansRegular.ttf C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\jfr\default.jfc C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F03217080FF} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAE4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5900b2.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5900b2.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5900b6.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI14D8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7A7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\msiexec.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\msiexec.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "50121028" C:\Windows\syswow64\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_21" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_04" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_06" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_16" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_17" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_03" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_16" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_12" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_20" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_14" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_19" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_07" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_05" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_01" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_07" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_11" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InProcServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_20" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.0_01" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.0_04" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF230120708FF\Language = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_12" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\Implemented Categories C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_08" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_18" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\ProgID\ = "JavaWebStart.isInstalled.1.7.0.0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF230120708FF\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_08" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\wsdetect.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\ssv.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jfrfile C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_02" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\Implemented Categories C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\.JAR C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\.JNLP C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jfrfile\ = "Java Flight Recorder File" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus\1 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 784 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe
PID 784 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe
PID 784 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe
PID 784 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 784 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 784 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 4828 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 4828 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 4828 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 3972 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 3972 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 3972 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2744 wrote to memory of 2656 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2744 wrote to memory of 2656 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2744 wrote to memory of 2656 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2744 wrote to memory of 1872 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2744 wrote to memory of 1872 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2744 wrote to memory of 1872 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1872 wrote to memory of 4600 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 4600 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 4600 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 4620 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 4620 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 4620 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 2016 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 2016 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 2016 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 4676 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 4676 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 4676 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 3676 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 3676 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 3676 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 3052 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 3052 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 3052 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 3524 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 3524 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 3524 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 4436 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 4436 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 4436 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1872 wrote to memory of 2540 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1872 wrote to memory of 2540 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1872 wrote to memory of 2540 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0f4590178c4a113403f4443208baab0_JaffaCakes118.exe" /asService

C:\Windows\SysWOW64\cscript.exe

cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\javaSetup.exe

"C:\Users\Admin\AppData\Local\Temp\javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 9E33991E8FF5E7B62E3840BD624CD7E0

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 4187C758D4BDFEFE01715F00A776D13D E Global\MSI0000

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump

C:\Program Files (x86)\Java\jre7\bin\javaws.exe

"C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator

C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe

"C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" ru.megamakc.core.JavaVer

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 zona.ru udp
US 8.8.8.8:53 i2.x8.net udp
RU 178.218.223.40:80 i2.x8.net tcp
NL 5.35.172.6:80 zona.ru tcp
US 8.8.8.8:53 w1.zona.pub udp
NL 5.35.170.40:443 w1.zona.pub tcp
US 8.8.8.8:53 6.172.35.5.in-addr.arpa udp
US 8.8.8.8:53 40.170.35.5.in-addr.arpa udp
US 8.8.8.8:53 29.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 stat.miniload.org udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 stat.miniload.org udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 stat.miniload.org udp
US 8.8.8.8:53 stat.miniload.org udp
US 8.8.8.8:53 dl.zona.ru udp
RU 46.254.16.107:80 dl.zona.ru tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 stat.miniload.org udp
US 8.8.8.8:53 107.16.254.46.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 javadl-esd-secure.oracle.com udp
GB 104.103.251.196:443 javadl-esd-secure.oracle.com tcp
US 8.8.8.8:53 196.251.103.104.in-addr.arpa udp
US 8.8.8.8:53 rps-svcs.sun.com udp
BE 23.14.90.97:80 rps-svcs.sun.com tcp
US 8.8.8.8:53 javadl.oracle.com udp
NO 104.110.22.225:80 javadl.oracle.com tcp
NO 104.110.22.225:443 javadl.oracle.com tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 225.22.110.104.in-addr.arpa udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 sjremetrics.java.com udp
IE 66.235.152.221:443 sjremetrics.java.com tcp
US 8.8.8.8:53 221.152.235.66.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Zona\init.xml

MD5 508525d6e4da0acd0af1578e36f3e882
SHA1 524df4ffb205cc7e32e3f3ecfad361d23cf074cb
SHA256 8fb7f52bce88163b210a71056540eb8fd5eb98695f7eb54966c78d9a676edb2d
SHA512 6be92f570d78d317df84f90b8aa8a1a2ad5df717848f9acc6d1567d054d86fb5e143f62a0adf0fd0c57df8d1569f282a8a1094a3eab66f6d02dd457ffd99b3ac

C:\Users\Admin\AppData\Local\Temp\hd.vbs

MD5 d8682d715a652f994dca50509fd09669
SHA1 bb03cf242964028b5d9183812ed8b04de9d55c6e
SHA256 4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba
SHA512 eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 4e1ced93e1350d468409e6360abef5ba
SHA1 0a05afd17178e7dcc1728d998f6fbaf334c88eb2
SHA256 ea89b41e16106f4f64a748195932c69e550fe93740f30213bbfacfcea8ac068c
SHA512 13a8e8126cd5b8792f4d26c4bb22b49fba57de5ed542bba10745c0d5b3970be2b036c2776231ae8bcec287bf3738e630ab99e85fcf9e2cd9222429c902733b83

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 89ca9ac882c95eed1e4b637b53caecc0
SHA1 166c90850b8a25a458fe3f976805994b90672e80
SHA256 a2606bc9bd427692b0a3b48e893d65f72fb5c88cadc1c8608573fd226a443842
SHA512 42c82d3878addd112b4e6dbe66c6fad52e711c639b3986d20285b88ecf646b79b638a8a35582d45e66f963be1ca4819d919f81ff3b5f25b6aeba84b6790b7788

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 34d6e10c650146e203d106dc337b3c0c
SHA1 5439854cf9e5f34b10d6c696c6c512cd917b8fdb
SHA256 5ac7d796252668677ca7d0394e460c5166cede30038db766818aa075e135271c
SHA512 5062eb8a3f0d412adc4055eee7ea99cd272e6945b061381597b78c6010a7b65fc24b2ee882b34520bc7455cd8fbf3eaddd11ecdeebf07110ae2887571864cf72

C:\Users\Admin\AppData\Local\Temp\javaSetup.exe

MD5 f2fd417b6d5c7ffc501c7632cc811c3e
SHA1 305c1493fca53ab63ba1686c9afdfb65142e59d3
SHA256 a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9
SHA512 289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b

C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi

MD5 e24d9b483ce7a3a6a4406111883457f7
SHA1 0d5efff0d110c48f5e6f5d438967427f1e2dbf84
SHA256 dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c
SHA512 b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398

C:\Windows\Installer\MSI7A7.tmp

MD5 9f84d910602183954bed6d9660600783
SHA1 82e3b122dc63e0a333bca531dd16667d5fafbf23
SHA256 bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e
SHA512 09fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 41306a4b6e78cd3cda434f992c2f07a5
SHA1 03d5a13df9318733a5f7f2d77c4190b3c13d935d
SHA256 8e0abba449c99809c0785d133eff3f4ddc48fa613cc27ea3042fc09dab306fcb
SHA512 d438b5ac2865e66e8e8bdfa521aafe4220f50fccf47bde134708f336891529756e1f26dcd21a982a4f5932ba630ce806a78b23478c4cc368624003613e73ccfd

C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\Data1.cab

MD5 003a488a2139105704566b47eb29520d
SHA1 52d672a592cd52ad5e2e7239421f2659e0d17afa
SHA256 a84262dd486cf59049d0d2d9a1b00dfb5aa5271592edd8de0e052f12496dec67
SHA512 ab34061f8e04bb1d59f1b35e0e1848a176f2b119095e79015130da3a4384c70fa35ecbe1625e07c0eb0de49c67bcdbba59f10fa1dfbbb2066dcb6ee6825215de

C:\Program Files (x86)\Java\jre7\core.zip

MD5 84ca7053c19a77354a440583a89b6bde
SHA1 c64fbc5986c9c2b3e3ef49dbdd2c0c02f7be4742
SHA256 2f04931188f5a292cb2ae041db0b0ef3f603b2d4d58634d18353a682b58c6869
SHA512 0722beffe0423d28bc7ab56477f31fbdd4e0ef2e2640e229704907c33c1d2e2406f301a24ba4f2e3d7aed4b229d3b031bb752bf2f258147a54f7ae43453115d1

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

MD5 0d46182b6134aa9c7acd16133d67e4c3
SHA1 7b5be3d65e5e744723bf55a08f9dc1042585d5eb
SHA256 c89091f2a4de2fcf10b30e54a74ec5764e2dfc0577f4f1d879ac8816e3b08bcc
SHA512 735b6c6bd69b22a71c15ae44c6fa1693700321dc3b4b2367ce05d5c37df62e45d1d3836c2c0f5e44be1036aeb11a533c2a4dbec55163b4a15adfa1c8ef75673b

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 525bf7f5b63ffd5e86fa3aee92551c21
SHA1 bf3cd939fe57f5076afbd231cb5b1b0ea03ba5d0
SHA256 e0e88bda4bcbbcfadb1009060372744f8b3f3628ae29b1d310a99255ec76aa7a
SHA512 825d048f8a3eb7ec88bda27eaf34b5c05a9545a12d48d29fc264aeae571fb2b4aa2957cd1b5459d53dc5d18b7968760d47136a6ec099c5612c3a7ab677b24d73

C:\Program Files (x86)\Java\jre7\lib\rt.pack

MD5 b6d75e8c90c79af1579769f10b1e5c88
SHA1 146cb3f05fa161885e8faf079fa2bbd89b5c5b18
SHA256 82dc6806d9ec9eb16604f90a5c78d0d882b69a0e718d8f6c3c6b7c9719887b7e
SHA512 02cdd0c0d6e71bc09120db2cd3b9471c0176567d92bb74a08c13e82c1d23722eb4afac41583a11dee3fc531fd442754ee0f5cb964898ec036ddd432947996037

C:\Program Files (x86)\Java\jre7\bin\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 18f48d6714640435ab93cad409e10070
SHA1 fd33c178274fb08adb77cf5c695ce29ba32417bd
SHA256 f7468e1cf9cb05006bb7eebf4ce106f98828351ac7d8637486794ba90e5f5bc2
SHA512 632e4957e610ab787ed9a2cf3e8d988acb16e4cfc4d4df9b52682ca54fa4f7fed980b7b5dd69b1c4dd71554894ee5e5199da630b721f3c7403652f923a16dcc1

C:\Program Files (x86)\Java\jre7\lib\charsets.pack

MD5 549bbcd204914b543dafee670f110834
SHA1 012461935191a55482e8c3d453d245e965a10a2a
SHA256 8ea5af036ec067a0abcf87b8f5921e2281ff9d259e1d4c3bbe7fa9037cd87d02
SHA512 b0346a2ec52ce47351286f27f347f5fea99e160aedde52bcf74e1629739704bd975c9c99d8db6be3b6bd45e7fa933616fa081eda49e9b911efcc031c7241400e

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 a2623660c345873243bb8f88145663b5
SHA1 d8cabac7b4057649bb6ca31504719fb0881c7190
SHA256 3532daff57c2b70280ef79edf17af55d108b2d46b88bdbf248fab74db2a43d14
SHA512 60dc96479ae28a9011dee7a2e8ff2cb60ab548a6164ba8f5562fcd1cb154362677a68c98c62aa62333ac9812d4ddb3e332957efdbc5acfb5eade18f111c21f6e

C:\Program Files (x86)\Java\jre7\lib\deploy.pack

MD5 b2a448112b7c886ccce9b6a3d5efd8a0
SHA1 660bc9efe960015b208a421b1a63443e7151024f
SHA256 928f6b847f94b920c462a08c43f0dfd3f7c40076b1cd60545523a5c27a4870ca
SHA512 871da63f4eaf16d77ba6c19c10d8ddd8e94f744c20a70e24793f837023d20e56698d85f67498bc06ec37b73a8f376c220afbe7f3884b00536b710ff49c339b3f

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 e2aaff5f40ba3fbc2df129ed2157dd19
SHA1 8d6b9aeeae45922687e24365cecffdc0e4997f08
SHA256 1e1a1fcf7c15b8f6019b1696765c696e69a510bb25fd29daa4f8286b206e738a
SHA512 e1e5a42c4b5bac65b4747b149a694d738fe7e4e7c5398ef564885796e4d9d3cf5ae4ef1cd2066dd6ba24463654c090d79ac84e0f1ad76575155deab8088e6843

C:\Program Files (x86)\Java\jre7\lib\javaws.pack

MD5 491bce42c6cd8af88a2e11f37711ed4f
SHA1 3de7c18fee44465a6afe34e068f2a64dea9fa324
SHA256 ee43869ee94eefe241d661101ff6a03cc276f8e558967b1b350ea088f1dad2e2
SHA512 1e5f99466b77b5a82c23449434272acf5746811ef96b98105f89b3339ccd86734d7713c94b773755219345d673a761a356fbe846a38e7893bd8894e43cf102e4

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 d2c611a13ec2cd37d228aad0305dc734
SHA1 b7d5dd93fb333c96f9d0c516fc862a1f6dc31ae8
SHA256 648dac2d3607a22d24056d6d29f1e43343c0e812faffa92a381f627cc42789d4
SHA512 5e73bcfaf14e4a45068a74623e9ed39276844efc6269604ea231f1457c5837605e34ebc7fbf106156b0d653c3a0ce90bf0817d09a44a7b268718747506da70d3

C:\Program Files (x86)\Java\jre7\lib\plugin.pack

MD5 47d6cfa1b01a6d41885504bbc3b1919a
SHA1 3838060f9d530c972d65f36fa38b265120a218aa
SHA256 93defaaf7f82e2e9565b27dd31a41c89e02d1b7719d0da0b940a55dcc75b91e5
SHA512 b0df9b174624234aaeb2b50cf611f698377925a0ae5c5ee9da46c65fcecf4d28941d1bf2332316d9327981c1f8c6c4fecf750e013f04eef63f5df52d27593135

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 250dd63c170bf6cc59e2a7a34edb348b
SHA1 da811a6038e340332de88fe1c2a574ee1bb8a8a8
SHA256 f46f4d796f236751d277dc24184765679d409c0e454ae07587ca09e0710a0f1f
SHA512 ffc14529043f3231ace3beda1cb14de9ef37d24221d462138eb8fe9cb255eacba42bb864e41a575b7c14773ae577f6e44afcd408f2415678f1019895e3c376c4

C:\Program Files (x86)\Java\jre7\lib\jsse.pack

MD5 31b4d9c29d29567b0ae3037fac9fbdc6
SHA1 8b5d1b1a309177466d71a742414d441f600ea38e
SHA256 9f031f2f1292bb311c400b0a93a11b78a08f013332b1263ea58617b6548862eb
SHA512 b4a8a3a1e837f98a3164e19a6fe939819eb336892335de975822890b52b5923d85fee4c4e5464ccb0d46c847f37f7da98a839aadbf4d20fca355f396a53836c0

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 6395ef19c45e81bddd74837a1394acb5
SHA1 92a97d8fa5c76891d0df4b4d9812370ee85859b9
SHA256 a0da062ab80c0dc8d84f51bd76faf53001cd4b48bcbc0ddae6d75e210ea92ccb
SHA512 5bb7439566d386aa46774e71378284fff75855f2b5971345d54e5142a23a9488a49b1de2a9533d37cb3f33c8d50cc64727daac7c96ca6dd3779144379a068fdb

C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack

MD5 c8dc1cfeaf0fefc39ed0f1de4eaa175c
SHA1 11cacbb9e5724d37789455de37a225d8e0c648a1
SHA256 da2803a283d28882182e1e280b4f25ee1579a5805e73fcc9882e63968f102a8f
SHA512 6b419ba94ae90f8caa3a57690f2ec7e249c9fb8ab86819439621cde1243c7636ee76820622ce32ed483ce76976f7ced74778898fc2725b1a2407b039fb53508c

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 cc147c8509b89de26462cd73e51d3df4
SHA1 b37e85f40a18c1832530a760b309799378f7f6a9
SHA256 2f0f162f348b4020566418fd30c090fac83883284dde7c163b923f68d0886c69
SHA512 b8ef88fc7c91371605dc12a6fae41fa576836ad7eecbf728cd78ab5de9b235c221d5f43d2e9f9adc234f6ae5c3e823dd1b213aaa0340aa8d341015ad393a3e93

C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack

MD5 dfaa6429468d56ef77932cf26a495f75
SHA1 8a21a29225640f1829ae328a24ef9cb5e215a4e0
SHA256 8c481a549acfa58b1bac0385906febe33a928d004a529fec505b6a9228678fed
SHA512 6c19ed573b111315648de0646441486729b304452c15b2282938460a2339db0be4e1eb19cf6f2bf17f73037811ca2553a15957ea96b9d9af64a93045407c1148

C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

MD5 f8494f1793c2781ff2473084d541ecb9
SHA1 235bf7d9af309fd7ca2d181ee42c01d041492a2c
SHA256 464a19e3f00f1ae1374a8107b2425819541cb19caf4bb252b2be43677326286b
SHA512 55d07939940ba52f6130051ab896597bcef358476042c0dd06a887355a6355af00f55b55097ddfb3453fd8a40e4dc4719eb989a71138476e103e911d331bf94f

C:\Program Files (x86)\Java\jre7\bin\java.exe

MD5 88651044108e995f9801e35d2582491c
SHA1 abbf404c0253d085223a64ab947e1057c4211c9c
SHA256 c7fd72a0730b377c6da5ac80cdaf5f4cca84cc999a563a4c420fe5a8576810f8
SHA512 486b1d7ad7c3debcb8d70f9351adb08c8321c4cfb409a00ff818be1dacdc376a0eded630ccdc74aa99cc472589b88c9681989076fd78eb109759d33e7bf70543

C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

MD5 f009f87f76ee4d6bc0e973b7c573c4c1
SHA1 14d25f0f1f06568f3479b50ff246995cca0eb376
SHA256 e4ec0be84abe59c42dc1daf21acf9e0406a42afca353bfaca342f2a1c33e1c91
SHA512 701c196000960e34c99407b2a5a4f7b32b4a9079faf8840de68d341db1144fed19b6d5977d449cb53d05874f6125b6a908dcbafb51eb0ec2105e78235399faf5

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 f9447bb803f947f99321b8582fc130e8
SHA1 6b7a7c4148af23b283c237d66ffcf1873924ab72
SHA256 8cc846b3de141b90f480673ca84887ce131dfca39ffce08d1beaeee0befc2490
SHA512 e48d41cbc66335c67e987e221f2a23227ce0385c3fff6d2adcdd3b3b2b922d68b9a1165c68be0348a25160a93e717259297f656969bf2dabe8694e59906841cc

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

MD5 64e2bb67ea740860510dcc5c2b6ffa2d
SHA1 6c5996358264624cdb4a075acc4f0b46177cd259
SHA256 844ab2231f45fad60d81770ea36d9937da9aa72cd905ce06e7471ddf9d69263b
SHA512 ed24331883ada44d8b034f5c8bc458e53234109d5cd02a27989972033f5b3305d23365106ce80be81caa16e472c14c103e457a1e0d138eb0d95036e58d877462

C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg

MD5 5147cce789cd18ad6b2996eb89e5d866
SHA1 756f1fffe96ef581f0d4d47253523544c89a2622
SHA256 c471d622198461715f245d478484fc7c8de533313c56e922931a875460a5aa88
SHA512 55f53adb70b1cf741cdf0dee74d92d2bf4c96954a760afae289972a0ea9bb27bc5eb4df1bd41829c7c484211fcb294fe296a4d560d8a1cdbb8c707b3bf2a79a6

C:\Program Files (x86)\Java\jre7\bin\client\jvm.dll

MD5 27147e1e3faf9b5ccda882cd96f2a85c
SHA1 7103f60121727917f812bfc7cdff5347fc17cc8e
SHA256 500d359211ece211cf672de328345876f016fb4a476b2a03cbc3b8b89023ae1f
SHA512 0866c604911e243687e7fe721142eb882b19691c902736b59ba304933463d8c9154ecc319b91c9771cee8139e151cc2a2e960bc7a93ed97352cf5232a0964194

C:\Program Files (x86)\Java\jre7\bin\verify.dll

MD5 cb89b1d71061f5ec52468528ecc0b1fc
SHA1 6feb23a8b5719c8997de92c7da644807fcba8819
SHA256 87d8d59972e73700507c07cee8750b0053c6a0899410338722a00c2803d39ee6
SHA512 2ff0ed38c7f28eb7ea16f24a0841dfb3306c4fec48ded5fddec8c3140f1a425433a444fe6b6cc4c17b3a39841c8ab0c23d7c9525c119c1b9d6daac2c17a4e4b0

C:\Program Files (x86)\Java\jre7\bin\java.dll

MD5 a258a133f7d565600647a248ab95792c
SHA1 1c6a855ca1fc04413b906b0b17609eff38317161
SHA256 81ad5696a6fcad89127fc7a428636d431b446ff1ee0c37bf87e8d513a8bae7af
SHA512 bf9dd97947eb0c71243ae28255af54b06d9e17af7ade666538dd93f9fdf6d8fbc3855f48bfaf6522dbd9ce3c6cff655581f092709670606d033f2321b1f4a5e7

C:\Program Files (x86)\Java\jre7\bin\zip.dll

MD5 1ecf056944068b933ba71cda3edc4a68
SHA1 2052b2138db0d9a368942470b41bb6fc5b1d4007
SHA256 35ce7ab154a38e97951714e17f7689873d89e8c01188de6e5cd741bc0ca3e384
SHA512 cadf312841d392a9970cc068b72063e17454d5e6738b46ec9622257d9dfc0bcad0d9420352752bf7d8f8e8ceaf6aca97d83896f753dc12cfeac3e5efb5e1ab05

C:\Program Files (x86)\Java\jre7\lib\meta-index

MD5 8bff510abed2b6fcc5a83eedb65b1766
SHA1 ba6d0cd7504a5baeb963501b8bdf315ec6cb355c
SHA256 afb4850419612e0daf1876a5d61120ed0ccae241f188c25c014602007b3a765b
SHA512 8786bd672ce9c53f4c31f8206d621eb06ae7527f9adf3700955cc1cb928dde145b684666a5eb4ac11301541f585970ccd377ba144da351741e3cb5769b6ff522

C:\Program Files (x86)\Java\jre7\lib\rt.jar

MD5 bac77d8d145bd553c7efdf7978d9dff0
SHA1 31da52beb0237a6ffd6ebc4a766d92f12a226fb6
SHA256 a85b24d93ceb6095691838dda51d31bc5e8dc94663514b46c48d7c41d351aad2
SHA512 2aabc1986338a68cdecf6d46afd6492a90940d9412bf8f7ad7c6183091403a784244ecf1007dc3875a892c0b1c2557f5de31f387011ca8db657f4367f5fc86ba

C:\Program Files (x86)\Java\jre7\lib\classlist

MD5 1a0b7592ab9c12aff1191dfd225154ca
SHA1 3d3fb5f326f2caea866028558834ae684a2fe09f
SHA256 3837e95826d2273a54e3869efcad1521e000215428a2c7ee9397b650834ebaf1
SHA512 b2932400b6d8c72d344cb0592f121623dd848dcdd341248cf18cd55cd0c4fbd7f923057d022f89586ec6062299d756a37b3ff4308f10865de6ba68b2ee530fe9

memory/2540-827-0x0000000002960000-0x0000000004960000-memory.dmp

memory/2540-828-0x0000000002730000-0x0000000002731000-memory.dmp

C:\Program Files (x86)\Java\jre7\bin\deploy.dll

MD5 87ec9d4a00d34eb6a0f8f92e1d1cc08e
SHA1 bee4ecae201905096dd44d1d348ecb3556d90832
SHA256 352707a271a9ab5d0e190a539b6468d6c6c5ce9675b300acf2305aa1f30625d8
SHA512 5b7f9866168ad7948a5a80078b14ff747201d17922ca907072a081e0078f6ac68446ddd36b027b4a17f5afa7d1bb4962642cff28cf66867171ebb78735f242d2

C:\Program Files (x86)\Java\jre7\bin\wsdetect.dll

MD5 958bc8d82e4d0a5b51536bb4fc4fb6d6
SHA1 626312fa01c72ec5c85c9262ba0ae97a8b1f5b25
SHA256 2ef891881d506084ed182a0ac58b10dbe8c45877ef889ac9105f19431beee4ca
SHA512 fe17b58e3eed817619bebf6d091aee99fdc331c9c5a4163e9f5993b41b2e7362365da210e0636755ada6b8838012de1bc5435b8670aa12f378a3c9e3a9f5af04

C:\Program Files (x86)\Java\jre7\bin\WindowsAccessBridge-32.dll

MD5 1722510af00ea3c7406681b47bf442f7
SHA1 cafac266d52d78d3743c31ebef22a894781e0de5
SHA256 4010a3ec604a327861bedf01626c12eaded9d381b6e4f0e6f760895838834a21
SHA512 31a2ce3d5eb9828cbb82d2a7e29f2c5bf46528d38f25827329512cedde37bd03b3cfdba0aba3320b6c0e7779588958e83bff735f6059aad37172598e70e863eb

C:\Program Files (x86)\Java\jre7\lib\images\cursors\invalid32x32.gif

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+5

MD5 a2abe32f03e019dbd5c21e71cc0f0db9
SHA1 25b042eb931fff4e815adcc2ddce3636debf0ae1
SHA256 27ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78
SHA512 197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2

C:\Program Files (x86)\Java\jre7\lib\zi\HST

MD5 715dc3fcec7a4b845347b628caf46c84
SHA1 1b194cdd0a0dc5560680c33f19fc2e7c09523cd1
SHA256 3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08
SHA512 72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662

C:\Program Files (x86)\Java\jre7\lib\zi\MST

MD5 11f8e73ad57571383afa5eaf6bc0456a
SHA1 65a736dddd8e9a3f1dd6fbe999b188910b5f7931
SHA256 0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e
SHA512 578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT

MD5 7da9aa0de33b521b3399a4ffd4078bdb
SHA1 f188a712f77103d544d4acf91d13dbc664c67034
SHA256 0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d
SHA512 9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6

C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll

MD5 bc3a575dfb1a58d35e8617f2966bf1ea
SHA1 6353630f62e246d7f462134e8d10a7a42935e20f
SHA256 c029fd3c6ffd2158d0633fc122786838a6f5d3cc7ef78bbe934697015c8c63dd
SHA512 c976da30d343f8e104bec72300dc0c17e582e380f0a3ae85b242dbf2d5b40459feb4a3b7789fb8d755b21cbaa0940038d20dbbf1296a48e77b461092abbbe514

C:\Program Files (x86)\Java\jre7\bin\javaws.exe

MD5 2b4493bb1f94580c41def972ea9a887e
SHA1 880ca8b20c6df9a6a176b91cc50304cb0fe66d06
SHA256 841339373958786d9c93a7dad5de8fd213ed6b5ad69623f5a5762a453c48e0a5
SHA512 b43e54f2c1f3e0a3c3d2fcee518e47d17476bb735606351e41b49e97e10af758ea9a539ac370a2d12cffa93e3e752e829db969968664c59386f65b732c29e40e

memory/5792-1428-0x000000003A400000-0x000000003A410000-memory.dmp

memory/5792-1435-0x00000000027F0000-0x00000000047F0000-memory.dmp

memory/5792-1442-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

memory/5792-1450-0x00000000027F0000-0x00000000047F0000-memory.dmp

memory/5792-1455-0x00000000027F0000-0x00000000047F0000-memory.dmp

C:\Config.Msi\e5900b5.rbs

MD5 7bf6bda18a622c82cdaab5a466ce3289
SHA1 364558bc51757506d92960090764a11eee1f3903
SHA256 c87390f675c2b82179fdccc883f7f3f7f5951b9eb58b998d79b3d2713567fb3e
SHA512 5b0b6882af2976e7db5173458548a8ec91463b64f2b09ed2c91cfa6b9ac40145f209f51ecf41a25c308b5ec884c0bad8bcc3188b90f22ca66e4f1563cb8ed091

memory/6096-1481-0x0000000002A20000-0x0000000004A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 55e9f260e3408c5186bdfa0ba2b79bb9
SHA1 3f1191f271290564b33f679e5aa9b98d6e587ee1
SHA256 124ef4c9140c4ce2372cac10f5d36ea1c3de932fd744114b7a466a073b4a2466
SHA512 8cd81c1603bec11081921fd9b5d3ff1c3279b75f6a82de482ff702002c4b75e3e6429ffb272ea1a7bec3dab074d669216490643a54278e085e5df9ccc64cc740

memory/6096-1500-0x0000000002A20000-0x0000000004A20000-memory.dmp

memory/6096-1505-0x0000000002A20000-0x0000000004A20000-memory.dmp

memory/6096-1515-0x0000000002A20000-0x0000000004A20000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

MD5 7021de6b52e9bf0b001e3a166616453b
SHA1 7fbddbff1ccee031f563fff13162b31e2b638816
SHA256 da3809bbeeb70009466345040214558077d9dec025285e0456e4d8ae3dd7a066
SHA512 11416ceca1fe12f2e2e7fabfb4986e2697653d8dd10721dfc127b6bdb3fb61ea14615fce46752d1a4f6d8fe78a27d3a0ffde6b541fdd93871a2dff83078d2776

memory/6096-1541-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/6096-1543-0x0000000002A20000-0x0000000004A20000-memory.dmp

memory/6096-1556-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/6096-1562-0x0000000002A20000-0x0000000004A20000-memory.dmp