88e71ed1f6dc946566fe18d5b8575a57c005c98c8920d3cea982de8e5f907cb3

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe

Executes dropped EXE 22 IoCs

pid	Process
3964	javaSetup.exe
3528	unpack200.exe
3036	unpack200.exe
2860	unpack200.exe
3204	unpack200.exe
2036	unpack200.exe
2740	unpack200.exe
1056	unpack200.exe
2960	unpack200.exe
3416	javaw.exe
5436	javaws.exe
5452	javaw.exe
5608	jp2launcher.exe
5100	javaw.exe
664	javaw.exe
2960	javaw.exe
4808	javaw.exe
1172	Zona.exe
1968	javaw.exe
3480	Zona.exe
5044	javaw.exe
1056	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
4752	MsiExec.exe
4512	MsiExec.exe
3528	unpack200.exe
3036	unpack200.exe
2860	unpack200.exe
3204	unpack200.exe
2036	unpack200.exe
2740	unpack200.exe
1056	unpack200.exe
2960	unpack200.exe
3416	javaw.exe
3416	javaw.exe
3416	javaw.exe
3416	javaw.exe
3416	javaw.exe
4512	MsiExec.exe
4512	MsiExec.exe
4512	MsiExec.exe
4512	MsiExec.exe
5436	javaws.exe
5452	javaw.exe
5452	javaw.exe
5452	javaw.exe
5452	javaw.exe
5452	javaw.exe
5608	jp2launcher.exe
5608	jp2launcher.exe
5608	jp2launcher.exe
5608	jp2launcher.exe
5608	jp2launcher.exe
5608	jp2launcher.exe
5608	jp2launcher.exe
5608	jp2launcher.exe
5608	jp2launcher.exe
5608	jp2launcher.exe
5100	javaw.exe
5100	javaw.exe
5100	javaw.exe
5100	javaw.exe
5100	javaw.exe
664	javaw.exe
664	javaw.exe
664	javaw.exe
664	javaw.exe
664	javaw.exe
2960	javaw.exe
2960	javaw.exe
2960	javaw.exe
2960	javaw.exe
2960	javaw.exe
4808	javaw.exe
4808	javaw.exe
4808	javaw.exe
4808	javaw.exe
4808	javaw.exe
1968	javaw.exe
1968	javaw.exe
1968	javaw.exe
1968	javaw.exe
1968	javaw.exe
5044	javaw.exe
5044	javaw.exe
5044	javaw.exe
5044	javaw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zona = "C:\\Program Files (x86)\\Zona\\Zona.exe /MINIMIZED"	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
72	1728	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	MsiExec.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\javaws.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\javaw.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	MsiExec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Indianapolis	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\St_Johns	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Dili	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Lord_Howe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Tehran	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-9	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Brussels	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\fontmanager.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\rmiregistry.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Antarctica\Davis	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Hebron	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Adak	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Port-au-Prince	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Krasnoyarsk	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Eucla	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\dt_shmem.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\rmid.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\deploy\messages_zh_HK.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\jfr.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Riga	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Apia	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Norfolk	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Melbourne	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+9	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Amsterdam	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Istanbul	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Yakutat	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Pago_Pago	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Rankin_Inlet	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Recife	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Antarctica\Palmer	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Bishkek	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\hprof.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\security\trusted.libraries	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Tucuman	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Moncton	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\images\cursors\cursors.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+8	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\management\jmxremote.password.template	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Godthab	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Whitehorse	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Anadyr	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Cape_Verde	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\splashscreen.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\classlist	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Sao_Paulo	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Tegucigalpa	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Rangoon	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-10	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Chisinau	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\libxml2.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Thunder_Bay	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Kolkata	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Dhaka	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Honolulu	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Niue	MsiExec.exe
File created	C:\Program Files (x86)\Zona\ZonaUpdater.exe	javaw.exe
File created	C:\Program Files (x86)\Java\jre7\lib\currency.data	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Juneau	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Martinique	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\jfr\profile.jfc	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Mazatlan	MsiExec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE493.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE61B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA62.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e232.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e232.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F03217080FF}	msiexec.exe
File created	C:\Windows\Installer\e57e236.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "40486536"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_06"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0050-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0066-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_65"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_39"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_45"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_76"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_14"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.0_03"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_72"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_80"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_49"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_05"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_78"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0050-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_29"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_56"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_07"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_79"	MsiExec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_25"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0045-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_88"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_47"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jfrfile\shell\open\command\ = "\"C:\\Program Files\\Java\\jdk-1.8\\bin\\jmc.exe\" -open \"%1\" %*"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_01"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_68"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_62"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_87"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_78"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_78"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_14"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0052-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_52"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0033-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_33"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file\Extension = ".jnlp"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_20"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5608	jp2launcher.exe
5608	jp2launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3176	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3176	msiexec.exe
Token: SeSecurityPrivilege	1728	msiexec.exe
Token: SeCreateTokenPrivilege	3176	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3176	msiexec.exe
Token: SeLockMemoryPrivilege	3176	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3176	msiexec.exe
Token: SeMachineAccountPrivilege	3176	msiexec.exe
Token: SeTcbPrivilege	3176	msiexec.exe
Token: SeSecurityPrivilege	3176	msiexec.exe
Token: SeTakeOwnershipPrivilege	3176	msiexec.exe
Token: SeLoadDriverPrivilege	3176	msiexec.exe
Token: SeSystemProfilePrivilege	3176	msiexec.exe
Token: SeSystemtimePrivilege	3176	msiexec.exe
Token: SeProfSingleProcessPrivilege	3176	msiexec.exe
Token: SeIncBasePriorityPrivilege	3176	msiexec.exe
Token: SeCreatePagefilePrivilege	3176	msiexec.exe
Token: SeCreatePermanentPrivilege	3176	msiexec.exe
Token: SeBackupPrivilege	3176	msiexec.exe
Token: SeRestorePrivilege	3176	msiexec.exe
Token: SeShutdownPrivilege	3176	msiexec.exe
Token: SeDebugPrivilege	3176	msiexec.exe
Token: SeAuditPrivilege	3176	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3176	msiexec.exe
Token: SeChangeNotifyPrivilege	3176	msiexec.exe
Token: SeRemoteShutdownPrivilege	3176	msiexec.exe
Token: SeUndockPrivilege	3176	msiexec.exe
Token: SeSyncAgentPrivilege	3176	msiexec.exe
Token: SeEnableDelegationPrivilege	3176	msiexec.exe
Token: SeManageVolumePrivilege	3176	msiexec.exe
Token: SeImpersonatePrivilege	3176	msiexec.exe
Token: SeCreateGlobalPrivilege	3176	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5608	jp2launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1900	1284	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	82
PID 1284 wrote to memory of 1900	1284	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	82
PID 1284 wrote to memory of 1900	1284	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	82
PID 1900 wrote to memory of 3964	1900	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	96
PID 1900 wrote to memory of 3964	1900	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	96
PID 1900 wrote to memory of 3964	1900	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	96
PID 3964 wrote to memory of 3176	3964	javaSetup.exe	97
PID 3964 wrote to memory of 3176	3964	javaSetup.exe	97
PID 3964 wrote to memory of 3176	3964	javaSetup.exe	97
PID 1728 wrote to memory of 4752	1728	msiexec.exe	99
PID 1728 wrote to memory of 4752	1728	msiexec.exe	99
PID 1728 wrote to memory of 4752	1728	msiexec.exe	99
PID 1728 wrote to memory of 4512	1728	msiexec.exe	100
PID 1728 wrote to memory of 4512	1728	msiexec.exe	100
PID 1728 wrote to memory of 4512	1728	msiexec.exe	100
PID 4512 wrote to memory of 3528	4512	MsiExec.exe	101
PID 4512 wrote to memory of 3528	4512	MsiExec.exe	101
PID 4512 wrote to memory of 3528	4512	MsiExec.exe	101
PID 4512 wrote to memory of 3036	4512	MsiExec.exe	102
PID 4512 wrote to memory of 3036	4512	MsiExec.exe	102
PID 4512 wrote to memory of 3036	4512	MsiExec.exe	102
PID 4512 wrote to memory of 2860	4512	MsiExec.exe	103
PID 4512 wrote to memory of 2860	4512	MsiExec.exe	103
PID 4512 wrote to memory of 2860	4512	MsiExec.exe	103
PID 4512 wrote to memory of 3204	4512	MsiExec.exe	104
PID 4512 wrote to memory of 3204	4512	MsiExec.exe	104
PID 4512 wrote to memory of 3204	4512	MsiExec.exe	104
PID 4512 wrote to memory of 2036	4512	MsiExec.exe	105
PID 4512 wrote to memory of 2036	4512	MsiExec.exe	105
PID 4512 wrote to memory of 2036	4512	MsiExec.exe	105
PID 4512 wrote to memory of 2740	4512	MsiExec.exe	106
PID 4512 wrote to memory of 2740	4512	MsiExec.exe	106
PID 4512 wrote to memory of 2740	4512	MsiExec.exe	106
PID 4512 wrote to memory of 1056	4512	MsiExec.exe	107
PID 4512 wrote to memory of 1056	4512	MsiExec.exe	107
PID 4512 wrote to memory of 1056	4512	MsiExec.exe	107
PID 4512 wrote to memory of 2960	4512	MsiExec.exe	108
PID 4512 wrote to memory of 2960	4512	MsiExec.exe	108
PID 4512 wrote to memory of 2960	4512	MsiExec.exe	108
PID 4512 wrote to memory of 3416	4512	MsiExec.exe	109
PID 4512 wrote to memory of 3416	4512	MsiExec.exe	109
PID 4512 wrote to memory of 3416	4512	MsiExec.exe	109
PID 5436 wrote to memory of 5452	5436	javaws.exe	113
PID 5436 wrote to memory of 5452	5436	javaws.exe	113
PID 5436 wrote to memory of 5452	5436	javaws.exe	113
PID 5436 wrote to memory of 5608	5436	javaws.exe	114
PID 5436 wrote to memory of 5608	5436	javaws.exe	114
PID 5436 wrote to memory of 5608	5436	javaws.exe	114
PID 1284 wrote to memory of 5100	1284	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	115
PID 1284 wrote to memory of 5100	1284	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	115
PID 1284 wrote to memory of 5100	1284	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	115
PID 1284 wrote to memory of 664	1284	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	116
PID 1284 wrote to memory of 664	1284	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	116
PID 1284 wrote to memory of 664	1284	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	116
PID 1900 wrote to memory of 2960	1900	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	118
PID 1900 wrote to memory of 2960	1900	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	118
PID 1900 wrote to memory of 2960	1900	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	118
PID 1900 wrote to memory of 4808	1900	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	119
PID 1900 wrote to memory of 4808	1900	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	119
PID 1900 wrote to memory of 4808	1900	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	119
PID 1284 wrote to memory of 1172	1284	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	129
PID 1284 wrote to memory of 1172	1284	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	129
PID 1284 wrote to memory of 1172	1284	4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe	129
PID 1172 wrote to memory of 1968	1172	Zona.exe	130

C:\Users\Admin\AppData\Local\Temp\4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4e4100e7d15a2184509293fe98c45534_JaffaCakes118.exe" /asService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3176
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\Zona.7z" "C:\Program Files (x86)\Zona"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2960
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\appdata.7z" "C:\Users\Admin\AppData\Roaming\Zona"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4808
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\rambler_r33.7z" "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Executes dropped EXE
    PID:1056
- C:\Program Files (x86)\Java\jre7\bin\javaw.exe
  "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" ru.megamakc.core.JavaVer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5100
- C:\Program Files (x86)\Java\jre7\bin\javaw.exe
  "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" ru.megamakc.core.JavaVer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:664
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" /copydll
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1968
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" --readInitFile
  2⤵
  - Executes dropped EXE
  PID:3480
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 521B1FA781FA78025BAC35A9A5ED6272
  2⤵
  - Loads dropped DLL
  PID:4752
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1ED2053FAD83CC45881584B0C5B058B8 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3528
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3036
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2860
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3204
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2036
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2740
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1056
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2960
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3416
- - C:\Program Files (x86)\Java\jre7\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5436
  - - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
      "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5452
  - - C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery