1061b691acad1c3352b5f64059b9e5187b4d650a783383bd4eb51abdcb3ede8a

Analysis

max time kernel
143s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
Size

207KB
MD5

92466b4aae1db6ad9cf80e7d5dddc379
SHA1

3d39d338ec7b86fbaf9948640fcf88039a172f6c
SHA256

1061b691acad1c3352b5f64059b9e5187b4d650a783383bd4eb51abdcb3ede8a
SHA512

5c457550ae1bdf41dcafb43eb699d79a74518ac603e5c16bf2402f1496868a68c6a2ff0143818af1dcacd865e0fe0774277d9efea38cfdd0356929b5e8c39a7e
SSDEEP

6144:c8+9tCJQBqCYaM+QcEdNc4fdem9UJNh+ytHFoSyGT:ef2aM+Qcn4V/8NhnpFoSy4

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

41javaSetup.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exejaureg.exejavaw.exe

pid	process
876	41javaSetup.exe
2704	unpack200.exe
2452	unpack200.exe
3028	unpack200.exe
1820	unpack200.exe
2284	unpack200.exe
1116	unpack200.exe
2376	unpack200.exe
1732	unpack200.exe
2488	javaw.exe
1800	javaws.exe
972	javaw.exe
1656	jp2launcher.exe
1804	jaureg.exe
1700	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exeMsiExec.exeMsiExec.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exeMsiExec.exe41javaSetup.exe92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe

pid	process
2696	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
2388	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
2704	unpack200.exe
2452	unpack200.exe
3028	unpack200.exe
1820	unpack200.exe
2284	unpack200.exe
1116	unpack200.exe
2376	unpack200.exe
1732	unpack200.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
2488	javaw.exe
2488	javaw.exe
2488	javaw.exe
2488	javaw.exe
2488	javaw.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
1800	javaws.exe
1800	javaws.exe
1800	javaws.exe
1800	javaws.exe
1800	javaws.exe
1800	javaws.exe
972	javaw.exe
972	javaw.exe
972	javaw.exe
972	javaw.exe
972	javaw.exe
1800	javaws.exe
1800	javaws.exe
1800	javaws.exe
1656	jp2launcher.exe
1656	jp2launcher.exe
1656	jp2launcher.exe
1656	jp2launcher.exe
1656	jp2launcher.exe
1656	jp2launcher.exe
1656	jp2launcher.exe
1656	jp2launcher.exe
1656	jp2launcher.exe
1656	jp2launcher.exe
2344	MsiExec.exe
2344	MsiExec.exe
876	41javaSetup.exe
2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

MsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0045-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0053-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2772-0-0x0000000000A10000-0x0000000000A9C000-memory.dmp	upx
behavioral1/memory/2696-45-0x0000000000A10000-0x0000000000A9C000-memory.dmp	upx
behavioral1/memory/2772-82-0x0000000000A10000-0x0000000000A9C000-memory.dmp	upx
behavioral1/memory/2696-85-0x0000000000A10000-0x0000000000A9C000-memory.dmp	upx
behavioral1/memory/2772-1186-0x0000000000A10000-0x0000000000A9C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

24 2268 msiexec.exe
26 2268 msiexec.exe
28 2268 msiexec.exe

flow	pid	process
24	2268	msiexec.exe
26	2268	msiexec.exe
28	2268	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

MsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	MsiExec.exe

Drops file in System32 directory 5 IoCs

Processes:

MsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\javaw.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	MsiExec.exe
File created	C:\Windows\SysWOW64\javaws.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\java.exe	MsiExec.exe

Drops file in Program Files directory 64 IoCs

Processes:

MsiExec.exemsiexec.exe92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exeunpack200.exe

description	ioc	process
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Niue	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\JAWTAccessBridge-32.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\content-types.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Phoenix	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Hong_Kong	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-7	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Riga	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\MET	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\AST4ADT	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\java.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\deploy\jqs\jqsmessages.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\deploy\messages_pt_BR.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Antarctica\Syowa	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Tehran	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\YST9YDT	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\sunec.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Tucuman	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Danmarkshavn	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Jakarta	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\JAWTAccessBridge.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-5	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Honolulu	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Noumea	MsiExec.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\t2k.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\deploy\messages_zh_TW.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Abidjan	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Pyongyang	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\UTC	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\security\java.policy	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Bermuda	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Port_Moresby	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\MST7MDT	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\nio.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\policytool.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\ext\sunmscapi.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\La_Rioja	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Ho_Chi_Minh	MsiExec.exe
File created	C:\PROGRA~2\Zona\License_uk.rtf	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Puerto_Rico	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\charsets.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre7\lib\security\javaws.policy	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\El_Salvador	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Macau	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Guam	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\PST8PDT	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Tarawa	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\ext\access-bridge.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\rt.pack	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\San_Luis	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Istanbul	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Majuro	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+9	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-2	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Zaporozhye	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\charsets.pack	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\security\java.security	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Monrovia	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Curacao	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Dushanbe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jpiexp.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Thule	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Novosibirsk	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Samara	MsiExec.exe

Drops file in Windows directory 17 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f784e45.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5635.tmp	msiexec.exe
File created	C:\Windows\Installer\f784e42.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F0E.tmp	msiexec.exe
File created	C:\Windows\Installer\f784e48.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EEE.tmp	msiexec.exe
File created	C:\Windows\Installer\f784e4a.msi	msiexec.exe
File created	C:\Windows\Installer\f784e44.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f784e42.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA058.tmp	msiexec.exe
File created	C:\Windows\Installer\f784e3f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f784e3f.msi	msiexec.exe
File created	C:\Windows\Installer\f784e45.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9BD2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f784e48.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

MsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "38063848"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	MsiExec.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe

Modifies registry class 64 IoCs

Processes:

MsiExec.exemsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0033-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_34"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_06"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_11"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_01"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_12"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_84"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_51"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_14"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_41"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_12"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F60730A4A66673047777F5728467D401\au	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_11"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_27"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0050-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_50"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBB}	MsiExec.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

41javaSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	41javaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	41javaSetup.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

jp2launcher.exemsiexec.exe

pid process

1656 jp2launcher.exe
2268 msiexec.exe
2268 msiexec.exe

pid	process
1656	jp2launcher.exe
2268	msiexec.exe
2268	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2852	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeSecurityPrivilege	2268	msiexec.exe
Token: SeCreateTokenPrivilege	2852	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2852	msiexec.exe
Token: SeLockMemoryPrivilege	2852	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2852	msiexec.exe
Token: SeMachineAccountPrivilege	2852	msiexec.exe
Token: SeTcbPrivilege	2852	msiexec.exe
Token: SeSecurityPrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeLoadDriverPrivilege	2852	msiexec.exe
Token: SeSystemProfilePrivilege	2852	msiexec.exe
Token: SeSystemtimePrivilege	2852	msiexec.exe
Token: SeProfSingleProcessPrivilege	2852	msiexec.exe
Token: SeIncBasePriorityPrivilege	2852	msiexec.exe
Token: SeCreatePagefilePrivilege	2852	msiexec.exe
Token: SeCreatePermanentPrivilege	2852	msiexec.exe
Token: SeBackupPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeShutdownPrivilege	2852	msiexec.exe
Token: SeDebugPrivilege	2852	msiexec.exe
Token: SeAuditPrivilege	2852	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2852	msiexec.exe
Token: SeChangeNotifyPrivilege	2852	msiexec.exe
Token: SeRemoteShutdownPrivilege	2852	msiexec.exe
Token: SeUndockPrivilege	2852	msiexec.exe
Token: SeSyncAgentPrivilege	2852	msiexec.exe
Token: SeEnableDelegationPrivilege	2852	msiexec.exe
Token: SeManageVolumePrivilege	2852	msiexec.exe
Token: SeImpersonatePrivilege	2852	msiexec.exe
Token: SeCreateGlobalPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jp2launcher.exe

pid process

1656 jp2launcher.exe

pid	process
1656	jp2launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe41javaSetup.exemsiexec.exeMsiExec.exe

description	pid	process	target process
PID 2772 wrote to memory of 2640	2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	cscript.exe
PID 2772 wrote to memory of 2640	2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	cscript.exe
PID 2772 wrote to memory of 2640	2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	cscript.exe
PID 2772 wrote to memory of 2640	2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	cscript.exe
PID 2772 wrote to memory of 2696	2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
PID 2772 wrote to memory of 2696	2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
PID 2772 wrote to memory of 2696	2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
PID 2772 wrote to memory of 2696	2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
PID 2772 wrote to memory of 2696	2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
PID 2772 wrote to memory of 2696	2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
PID 2772 wrote to memory of 2696	2772	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
PID 2696 wrote to memory of 876	2696	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	41javaSetup.exe
PID 2696 wrote to memory of 876	2696	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	41javaSetup.exe
PID 2696 wrote to memory of 876	2696	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	41javaSetup.exe
PID 2696 wrote to memory of 876	2696	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	41javaSetup.exe
PID 2696 wrote to memory of 876	2696	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	41javaSetup.exe
PID 2696 wrote to memory of 876	2696	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	41javaSetup.exe
PID 2696 wrote to memory of 876	2696	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	41javaSetup.exe
PID 876 wrote to memory of 2852	876	41javaSetup.exe	msiexec.exe
PID 876 wrote to memory of 2852	876	41javaSetup.exe	msiexec.exe
PID 876 wrote to memory of 2852	876	41javaSetup.exe	msiexec.exe
PID 876 wrote to memory of 2852	876	41javaSetup.exe	msiexec.exe
PID 876 wrote to memory of 2852	876	41javaSetup.exe	msiexec.exe
PID 876 wrote to memory of 2852	876	41javaSetup.exe	msiexec.exe
PID 876 wrote to memory of 2852	876	41javaSetup.exe	msiexec.exe
PID 2268 wrote to memory of 2388	2268	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 2388	2268	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 2388	2268	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 2388	2268	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 2388	2268	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 2388	2268	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 2388	2268	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 1840	2268	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 1840	2268	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 1840	2268	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 1840	2268	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 1840	2268	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 1840	2268	msiexec.exe	MsiExec.exe
PID 2268 wrote to memory of 1840	2268	msiexec.exe	MsiExec.exe
PID 1840 wrote to memory of 2704	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 2704	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 2704	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 2704	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 2452	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 2452	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 2452	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 2452	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 3028	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 3028	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 3028	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 3028	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 1820	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 1820	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 1820	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 1820	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 2284	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 2284	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 2284	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 2284	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 1116	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 1116	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 1116	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 1116	1840	MsiExec.exe	unpack200.exe
PID 1840 wrote to memory of 2376	1840	MsiExec.exe	unpack200.exe

C:\Users\Admin\AppData\Local\Temp\92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\cscript.exe
cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
2⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
"C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\AU\au.msi" ALLUSERS=1 /qn
4⤵
PID:2824

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.7.0_80-b15
4⤵
- Executes dropped EXE
PID:1804

C:\Program Files (x86)\Java\jre7\bin\javaw.exe
"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch
2⤵
- Executes dropped EXE
PID:1700

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7DF3A8C7A486CEB7D081E9F8FCDBDFC4
2⤵
- Loads dropped DLL
PID:2388

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A5C151D98981F3032E27DEF41729AA1B M Global\MSI0000
2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1840

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2452

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732

C:\Program Files (x86)\Java\jre7\bin\javaw.exe
"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488

C:\Program Files (x86)\Java\jre7\bin\javaws.exe
"C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800

C:\Program Files (x86)\Java\jre7\bin\javaw.exe
"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972

C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe
"C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 31A771A452F538425E5CFCA9B2A0340E
2⤵
- Loads dropped DLL
PID:2344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f784e43.rbs
Filesize
9KB

MD5
3e45f27c416d9921fb25db8f89db8593

SHA1
ad5b79b122777b1fc01a06318fb57817c2527d87

SHA256
a660f84aeca80b8e43a21043eaa59660f4c13980e9cf0d7a1027bd34641aa94d

SHA512
90caa55df7583f474070688baeb49ca34c39010169318d85942037c10ce91909385b2c829fe85549140afb6e28b0f0f136d348f5c90da21ddc8bb607923aba30

Download Submit
C:\Config.Msi\f784e49.rbs
Filesize
8KB

MD5
c9a09ead72c8480f3d74cccfbb965b63

SHA1
f34f6baa836693fe54193f1f3e177c1975e44e65

SHA256
ea9793cf161b096b65fa5a61a57a07b9955d893e6b9e0847eb0e530422d4a353

SHA512
883aea4eed81ca055928a07bf841f44d4140cd8879388dd783b4957e409732837f101b075bbd4c02831c7da3b898fcda5b76cbc9205391f48076d141634e31c1

Download Submit
C:\Program Files (x86)\Java\jre7\bin\client\jvm.dll
Filesize
3.4MB

MD5
27147e1e3faf9b5ccda882cd96f2a85c

SHA1
7103f60121727917f812bfc7cdff5347fc17cc8e

SHA256
500d359211ece211cf672de328345876f016fb4a476b2a03cbc3b8b89023ae1f

SHA512
0866c604911e243687e7fe721142eb882b19691c902736b59ba304933463d8c9154ecc319b91c9771cee8139e151cc2a2e960bc7a93ed97352cf5232a0964194

Download Submit
C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
Filesize
864KB

MD5
bc3a575dfb1a58d35e8617f2966bf1ea

SHA1
6353630f62e246d7f462134e8d10a7a42935e20f

SHA256
c029fd3c6ffd2158d0633fc122786838a6f5d3cc7ef78bbe934697015c8c63dd

SHA512
c976da30d343f8e104bec72300dc0c17e582e380f0a3ae85b242dbf2d5b40459feb4a3b7789fb8d755b21cbaa0940038d20dbbf1296a48e77b461092abbbe514

Download Submit
C:\Program Files (x86)\Java\jre7\bin\javaws.exe
Filesize
266KB

MD5
2b4493bb1f94580c41def972ea9a887e

SHA1
880ca8b20c6df9a6a176b91cc50304cb0fe66d06

SHA256
841339373958786d9c93a7dad5de8fd213ed6b5ad69623f5a5762a453c48e0a5

SHA512
b43e54f2c1f3e0a3c3d2fcee518e47d17476bb735606351e41b49e97e10af758ea9a539ac370a2d12cffa93e3e752e829db969968664c59386f65b732c29e40e

Download Submit
C:\Program Files (x86)\Java\jre7\lib\charsets.pack
Filesize
1.3MB

MD5
549bbcd204914b543dafee670f110834

SHA1
012461935191a55482e8c3d453d245e965a10a2a

SHA256
8ea5af036ec067a0abcf87b8f5921e2281ff9d259e1d4c3bbe7fa9037cd87d02

SHA512
b0346a2ec52ce47351286f27f347f5fea99e160aedde52bcf74e1629739704bd975c9c99d8db6be3b6bd45e7fa933616fa081eda49e9b911efcc031c7241400e

Download Submit
C:\Program Files (x86)\Java\jre7\lib\deploy.pack
Filesize
1.7MB

MD5
b2a448112b7c886ccce9b6a3d5efd8a0

SHA1
660bc9efe960015b208a421b1a63443e7151024f

SHA256
928f6b847f94b920c462a08c43f0dfd3f7c40076b1cd60545523a5c27a4870ca

SHA512
871da63f4eaf16d77ba6c19c10d8ddd8e94f744c20a70e24793f837023d20e56698d85f67498bc06ec37b73a8f376c220afbe7f3884b00536b710ff49c339b3f

Download Submit
C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack
Filesize
736KB

MD5
c8dc1cfeaf0fefc39ed0f1de4eaa175c

SHA1
11cacbb9e5724d37789455de37a225d8e0c648a1

SHA256
da2803a283d28882182e1e280b4f25ee1579a5805e73fcc9882e63968f102a8f

SHA512
6b419ba94ae90f8caa3a57690f2ec7e249c9fb8ab86819439621cde1243c7636ee76820622ce32ed483ce76976f7ced74778898fc2725b1a2407b039fb53508c

Download Submit
C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg
Filesize
686B

MD5
5147cce789cd18ad6b2996eb89e5d866

SHA1
756f1fffe96ef581f0d4d47253523544c89a2622

SHA256
c471d622198461715f245d478484fc7c8de533313c56e922931a875460a5aa88

SHA512
55f53adb70b1cf741cdf0dee74d92d2bf4c96954a760afae289972a0ea9bb27bc5eb4df1bd41829c7c484211fcb294fe296a4d560d8a1cdbb8c707b3bf2a79a6

Download Submit
C:\Program Files (x86)\Java\jre7\lib\javaws.pack
Filesize
205KB

MD5
491bce42c6cd8af88a2e11f37711ed4f

SHA1
3de7c18fee44465a6afe34e068f2a64dea9fa324

SHA256
ee43869ee94eefe241d661101ff6a03cc276f8e558967b1b350ea088f1dad2e2

SHA512
1e5f99466b77b5a82c23449434272acf5746811ef96b98105f89b3339ccd86734d7713c94b773755219345d673a761a356fbe846a38e7893bd8894e43cf102e4

Download Submit
C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack
Filesize
3.2MB

MD5
dfaa6429468d56ef77932cf26a495f75

SHA1
8a21a29225640f1829ae328a24ef9cb5e215a4e0

SHA256
8c481a549acfa58b1bac0385906febe33a928d004a529fec505b6a9228678fed

SHA512
6c19ed573b111315648de0646441486729b304452c15b2282938460a2339db0be4e1eb19cf6f2bf17f73037811ca2553a15957ea96b9d9af64a93045407c1148

Download Submit
C:\Program Files (x86)\Java\jre7\lib\jsse.pack
Filesize
141KB

MD5
31b4d9c29d29567b0ae3037fac9fbdc6

SHA1
8b5d1b1a309177466d71a742414d441f600ea38e

SHA256
9f031f2f1292bb311c400b0a93a11b78a08f013332b1263ea58617b6548862eb

SHA512
b4a8a3a1e837f98a3164e19a6fe939819eb336892335de975822890b52b5923d85fee4c4e5464ccb0d46c847f37f7da98a839aadbf4d20fca355f396a53836c0

Download Submit
C:\Program Files (x86)\Java\jre7\lib\plugin.pack
Filesize
489KB

MD5
47d6cfa1b01a6d41885504bbc3b1919a

SHA1
3838060f9d530c972d65f36fa38b265120a218aa

SHA256
93defaaf7f82e2e9565b27dd31a41c89e02d1b7719d0da0b940a55dcc75b91e5

SHA512
b0df9b174624234aaeb2b50cf611f698377925a0ae5c5ee9da46c65fcecf4d28941d1bf2332316d9327981c1f8c6c4fecf750e013f04eef63f5df52d27593135

Download Submit
C:\Program Files (x86)\Java\jre7\lib\rt.pack
Filesize
13.1MB

MD5
b6d75e8c90c79af1579769f10b1e5c88

SHA1
146cb3f05fa161885e8faf079fa2bbd89b5c5b18

SHA256
82dc6806d9ec9eb16604f90a5c78d0d882b69a0e718d8f6c3c6b7c9719887b7e

SHA512
02cdd0c0d6e71bc09120db2cd3b9471c0176567d92bb74a08c13e82c1d23722eb4afac41583a11dee3fc531fd442754ee0f5cb964898ec036ddd432947996037

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
aa4ca7f73ff5b08bc472c58cdaf811e2

SHA1
c8497560f7f4b94b362e806ea81b159cfe728b83

SHA256
761f0fa4e98632a2a3cf8d720253e89814b88c369b162abaa17c26bb94e01768

SHA512
b0c07cbbcd763b6e4534ac65eeb926c1b725935e1b54376b62bd3817b28174a9bf759ca6271af701cf21f1a4b2060be1f764de1d5f3eb443a3bb5548a045a713

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
688ce8f58564065a6c8db139aa99319c

SHA1
51000e1c629c8e7b94d2c2cc7f07fe94663e667c

SHA256
cdc4527b8d1bfaa150f959b7477f8bfae784dca1fb72b216f9b85c1b13597180

SHA512
2f14ae499a052ef2a0636bee5ea27566dc51bbdbeed527bc3307dd65c71dce73230b69f638fbdc54d6ea0b50bda22b80ce93b0c667a74986ead1cad6ac9ab7b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\Data1.cab
Filesize
24.6MB

MD5
003a488a2139105704566b47eb29520d

SHA1
52d672a592cd52ad5e2e7239421f2659e0d17afa

SHA256
a84262dd486cf59049d0d2d9a1b00dfb5aa5271592edd8de0e052f12496dec67

SHA512
ab34061f8e04bb1d59f1b35e0e1848a176f2b119095e79015130da3a4384c70fa35ecbe1625e07c0eb0de49c67bcdbba59f10fa1dfbbb2066dcb6ee6825215de

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi
Filesize
898KB

MD5
e24d9b483ce7a3a6a4406111883457f7

SHA1
0d5efff0d110c48f5e6f5d438967427f1e2dbf84

SHA256
dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c

SHA512
b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4EDB.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5088.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
8KB

MD5
f46630e4a43f421117970d91a74394a5

SHA1
b1147068e3ab5a25c282a026a766a31bc2b562b4

SHA256
2099b33f3b248818ac736d650527aab7ffcc7536a7453ea428601b81bb618280

SHA512
0c60730a2eca0647ea079cea2cd2d62c1428a43f33fa896660a2954209f17c81ac5673081cafd147d159282bf65c5e6f5c4ec29f45083f9cfdc192259750ad68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
4KB

MD5
5b92e0efcdb240ab7d7df6c4d836e898

SHA1
4227659a1523eb848a0a4b27da8b2e9171658a1e

SHA256
7e32777b391093a9966e22f84d7825ccaab85cc4682f186b84c9d98c409db9e0

SHA512
9286127654c9a2bf509d32980e9a26a14898c681af77bb718778682e2e2b01adb35a347615d36b7c7d29ccbcde79112c91c95da2d178f9044f1e6d8cfd16d763

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
4KB

MD5
5b518e160b383b0248552aa9fe7c4764

SHA1
f8e26c30082a1e01f026d4ed8ccfdbec55d21a2e

SHA256
af004e122837d639d8250f441cb0d4132a4eb036868cf8b9953b9874e37d2000

SHA512
f1522f026493eba8cff8be8562129f666df8591f1151d897197a1f4cf800517e662295f80223d898d467628b1f1dd03e51c8734a485ca21c1c207a05fb4c1515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
4KB

MD5
c9e1cabd639115d7e04b3b5f8c9d0d12

SHA1
80d3bffe5de8172cd7558e886a66b06f586f97d1

SHA256
e6ddc897408d042c40547f5360cf56300814092336737774772f5430780ef9cc

SHA512
5266c1257f07cc2d6d91d7da396131ccede9dc659299564a6dd37fdd1e480aa265648136b7de7c5c7845c5550506eb5820ac539728b8d747e6abd4b48c42d6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
5KB

MD5
05b573eeb3304c50f9243430e6ca7ad7

SHA1
49283622c5a4064b1558b96739f83b0a5d40c316

SHA256
00a3f371bd5d2fdfaa0b9371b793f27e06c61fb9c341dc8bf80471359d1ba077

SHA512
d2a5dcf2d3a907abeed9ef5352510f7ed3ee5eab7614d8a50fb94f1ed79c18d6a534264eb0823c3508a33fab96744c652e1cf2f473fefcd9fac3010d0979555a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
5KB

MD5
6790d0bbb79602f54aaecf67e4341da1

SHA1
64bf7eebab65b817e6400ba6daa95b7244e6433a

SHA256
146dc51e70414ab26d178ce32ea38231b4d43c19b1faf718b30333c274fc6fcc

SHA512
2a5d510dec54643e65c5c8c14c326dbc505d13cfd07d6de8c0db9569255adb3756a0399e02e3908a8d128cad4034dcb54959ec3cf86e74af5464ded2dfde0a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
5KB

MD5
0e71aed87954700633cfa9dcccbac71e

SHA1
09df7606b603d50ec591fc628869e3fbfe3767c0

SHA256
0f3b05e6d5d7598d3d4557fc3327013266e2a1ae2034b1b481a056f134690906

SHA512
b3826db778fd36b9990f64a7ba7abe55693c84fb5e435a51d459408c72f06588336afb8f34c3709d19551a12d8628d5cbd91ebd79a257618523b7b711047935a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
6KB

MD5
a343986815962db586b8e070c4a4943a

SHA1
c59a78d5762fd6adadec56f328f7e2b556183a07

SHA256
a004037e13537b7ba17dd9fa138b4bd985d1f5a034227fe2ec179702690d39ee

SHA512
67965b4235d0497e189bf74c53fc319d332813499ef7561ba6e159b30e21460be43a787a8b8c11332580f2b57dbce14cd6813f8dc0cfb4133b18c3b4ab9cd6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
1KB

MD5
aadffd77d3386f79e205264588ecf55a

SHA1
e07c64cb8b3ffaa1384f30ded8357c63c698114d

SHA256
df00aafa00c8552017aaf9c631e598eecbf302025ee9ccd67b229e58c8d9547c

SHA512
8535f7452d627f7d683ee5ad7d6c219af43d84df5216f3b5784e1fa9391f6a4e29446c62f373365dad2bff2bfc2dc6d0dbc4cf9c54c2e811a9fcee5da1d2009b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs
Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
193KB

MD5
6a86e8d216a77baa9084e18e231204a6

SHA1
6c1e488a58c0776519fb5eb4161d0f929aecb188

SHA256
49c96e06d4d875bd04d6dba41567347e0ca43f712b54dfcb240bbf8da12506d3

SHA512
6c4dddca4bcad858ff042a9f15da6226cf8c4a7c84215a1cba8b6625ef192d74451fb11a9ceb6c5a6450b71fec24c69d404505717c008c9009ca8e0a8a57c37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
193KB

MD5
5da1b3686b8239c4278b11288b0b441d

SHA1
fde3ebc5be1347693b9a66877f78d40929383ff8

SHA256
c2e1e432f32ceaef9be282ed1216275604f03a9fc514781161eaa89c32046f56

SHA512
a5a118bc340169f36c7b69a1d5e20b23be6132be6926664d67839357c40ac7a9337014a9aa570b72f3f3ce816a3b003915516effb764ac00f3959a75a9d05b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
194KB

MD5
a4a7a1bb494c3808f6c61b7a016b0e1b

SHA1
78c93a6cb226ae9fec29eb5727737b88457c09ad

SHA256
415da94b6e737947ad017a683a71fa1ab41229ae062f46e18ad8b427dc63b6b9

SHA512
9cf5f993f137024edfe2c35186beaffd891cfc8122d527a95cc42eb098026766ae35f2c53625f50b4821f54b055f21dbe99e6da3dc4c08ffa49419b58553be93

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
195KB

MD5
a256804cf7979b72a2e05766cdc6e6a4

SHA1
7318c80b4ff40c397a27cd2fce6c157bea503be6

SHA256
0ce92642049b8d6cd1925f5697eb4fd699594fc329d590fb482f9430a449c4a5

SHA512
8c8fd367f8e990ae1d291b66ae34efd76dc547e53d3e80b334ce00fc05a703c9a4316025426363106f614ecf64567bb98b918ab019ed084ba47e06f634c397f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
195KB

MD5
95b6db47d83e1c43fe0a6dfa89b6cf4c

SHA1
ce67c5f379dca2775815dba04875bee40dcc8c14

SHA256
c3fccdfe60a45a816f9389a8ed5678862bb151d10d58d5ed7275a7d0e3714388

SHA512
4c9df5f9d618bb0d6827ff187b0f7ba1bc7b17fb34635a84a37353837b5afc6c0c4ff0c913608edb6ec478c540d79084fe2aaa15f45628ab4a53938a223dbbe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
197KB

MD5
2b86d39053fc6e56bd766e03b26a52c0

SHA1
ef3dc18b0959019ac4501feb955921fb0053907f

SHA256
a0c4e58373a32071c13ea9d822f62773b50746a310cd371e425a2156963e0548

SHA512
b156b87ba767de35d4be1738eebd393fc584c2294f529834f20d63d5179c6b198925c68b94af63243bc667fd5f87792886af2225c1f3d7933e311b75ad1bc173

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log
Filesize
4KB

MD5
b8fb107bd13db98220f268c8934f9966

SHA1
9ae449edd077dbe9fc765619a318359a03284b18

SHA256
54319cb0aa82dc67dffada8af6e5fdb235b0c27575f4c7ddfe7a6f834243d3eb

SHA512
af996421da8f6655c62693db73770777b981334e368c0a288b8e7ba5dc20577adc7605336cb0a1d65ae41f0e4cae09e572ccf657c9c35aed679b0ccf17e1941d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
602B

MD5
9077e6b0ccaf40a22a5ed86e9990ca9d

SHA1
c049deb5f1d8a6e304be15cfa0052f585be6d754

SHA256
49e8d79f82410dc4ed85f7703401a2ecbd2d24c4db0b63aa6fc81d33636fa4e0

SHA512
29a7cef160de08b1105442ac387e2d5596a92fdda05464dc1cc99230679c8a774ff92869e6cfb95006df10d8430224cbd15b0f335e2bcbebaf3898ce966a9159

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
890B

MD5
8755f06dc07229dee936907965d1ed45

SHA1
cc8bffb2819bd1f0699f583642b0cdd9c2a00221

SHA256
535c954a7b3d788f742bc187a503da5714034898bbd43ff34ce3993320099be0

SHA512
abc1e321c2e14cc5ddd0debb1b1c8207ac12a229ad6d082f669f6faf43882777284f01211c5fed9a6865efd4889225ce91b25977450ca07f4ac75c3c32dea9f0

Download Submit
C:\Windows\Installer\MSI5635.tmp
Filesize
202KB

MD5
9f84d910602183954bed6d9660600783

SHA1
82e3b122dc63e0a333bca531dd16667d5fafbf23

SHA256
bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e

SHA512
09fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9

Download Submit
C:\Windows\Installer\f784e45.msi
Filesize
155KB

MD5
55d7e66e49c3994eb5e1004a5efd22b1

SHA1
aa8a045dc0c161e95804f76efe27f1f572072fa8

SHA256
0a833d92b4d4aa068b0cb256b87c0d3495c3cc4a021be86c072095fee467b379

SHA512
2492ca442c4f6aab1f085a54bbbc1a95b836f033f1c8748fa6c3873997a397020baedfc1f661d751afe30ade3ab14b66a676a4731696b6c90c5c3adfa6c2bd2b

Download Submit
\Program Files (x86)\Java\jre7\bin\java.dll
Filesize
117KB

MD5
a258a133f7d565600647a248ab95792c

SHA1
1c6a855ca1fc04413b906b0b17609eff38317161

SHA256
81ad5696a6fcad89127fc7a428636d431b446ff1ee0c37bf87e8d513a8bae7af

SHA512
bf9dd97947eb0c71243ae28255af54b06d9e17af7ade666538dd93f9fdf6d8fbc3855f48bfaf6522dbd9ce3c6cff655581f092709670606d033f2321b1f4a5e7

Download Submit
\Program Files (x86)\Java\jre7\bin\javaw.exe
Filesize
171KB

MD5
64e2bb67ea740860510dcc5c2b6ffa2d

SHA1
6c5996358264624cdb4a075acc4f0b46177cd259

SHA256
844ab2231f45fad60d81770ea36d9937da9aa72cd905ce06e7471ddf9d69263b

SHA512
ed24331883ada44d8b034f5c8bc458e53234109d5cd02a27989972033f5b3305d23365106ce80be81caa16e472c14c103e457a1e0d138eb0d95036e58d877462

Download Submit
\Program Files (x86)\Java\jre7\bin\jpishare.dll
Filesize
138KB

MD5
4cf2dff54d2e12e3ab637fcafa7d4c9d

SHA1
dcbd0a027b8017ac396741698dfc3b3f4d1b4c39

SHA256
8ff2bc130db2f1fef2e6470adb58bcdba1d2133f9ad21ebd7d80fedd3e537e21

SHA512
a206001ceaed2df91428f1b7094246e4e7318bf4e7b19c475d4887b5eae49714ff7fa3cfab4133004a51280cf36549b73eecc87428b0b38294297545e9493e67

Download Submit
\Program Files (x86)\Java\jre7\bin\msvcr100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
\Program Files (x86)\Java\jre7\bin\unpack200.exe
Filesize
145KB

MD5
0d46182b6134aa9c7acd16133d67e4c3

SHA1
7b5be3d65e5e744723bf55a08f9dc1042585d5eb

SHA256
c89091f2a4de2fcf10b30e54a74ec5764e2dfc0577f4f1d879ac8816e3b08bcc

SHA512
735b6c6bd69b22a71c15ae44c6fa1693700321dc3b4b2367ce05d5c37df62e45d1d3836c2c0f5e44be1036aeb11a533c2a4dbec55163b4a15adfa1c8ef75673b

Download Submit
\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
Filesize
28.1MB

MD5
f2fd417b6d5c7ffc501c7632cc811c3e

SHA1
305c1493fca53ab63ba1686c9afdfb65142e59d3

SHA256
a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9

SHA512
289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b

Download Submit
memory/972-997-0x0000000039C00000-0x0000000039C10000-memory.dmp

Filesize
64KB

Download
memory/972-1019-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1656-1043-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/1656-1098-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1656-1185-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1656-1044-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/1700-1175-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2488-971-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2696-45-0x0000000000A10000-0x0000000000A9C000-memory.dmp

Filesize
560KB

Download
memory/2696-85-0x0000000000A10000-0x0000000000A9C000-memory.dmp

Filesize
560KB

Download
memory/2772-95-0x0000000003090000-0x000000000311C000-memory.dmp

Filesize
560KB

Download
memory/2772-44-0x0000000003090000-0x000000000311C000-memory.dmp

Filesize
560KB

Download
memory/2772-43-0x0000000003090000-0x000000000311C000-memory.dmp

Filesize
560KB

Download
memory/2772-0-0x0000000000A10000-0x0000000000A9C000-memory.dmp

Filesize
560KB

Download
memory/2772-89-0x0000000003090000-0x000000000311C000-memory.dmp

Filesize
560KB

Download
memory/2772-82-0x0000000000A10000-0x0000000000A9C000-memory.dmp

Filesize
560KB

Download
memory/2772-1186-0x0000000000A10000-0x0000000000A9C000-memory.dmp

Filesize
560KB

Download