1061b691acad1c3352b5f64059b9e5187b4d650a783383bd4eb51abdcb3ede8a

Analysis

max time kernel
143s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
Size

207KB
MD5

92466b4aae1db6ad9cf80e7d5dddc379
SHA1

3d39d338ec7b86fbaf9948640fcf88039a172f6c
SHA256

1061b691acad1c3352b5f64059b9e5187b4d650a783383bd4eb51abdcb3ede8a
SHA512

5c457550ae1bdf41dcafb43eb699d79a74518ac603e5c16bf2402f1496868a68c6a2ff0143818af1dcacd865e0fe0774277d9efea38cfdd0356929b5e8c39a7e
SSDEEP

6144:c8+9tCJQBqCYaM+QcEdNc4fdem9UJNh+ytHFoSyGT:ef2aM+Qcn4V/8NhnpFoSy4

Score

8^/10

adware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe

Executes dropped EXE 17 IoCs

Processes:

41javaSetup.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exejavaw.exejavaw.exejavaw.exejavaw.exe

pid	process
4604	41javaSetup.exe
1932	unpack200.exe
2268	unpack200.exe
4308	unpack200.exe
4780	unpack200.exe
1964	unpack200.exe
3660	unpack200.exe
4492	unpack200.exe
716	unpack200.exe
1852	javaw.exe
6120	javaws.exe
6140	javaw.exe
4584	jp2launcher.exe
4512	javaw.exe
2464	javaw.exe
1472	javaw.exe
4344	javaw.exe

Loads dropped DLL 55 IoCs

Processes:

MsiExec.exeMsiExec.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exejavaw.exejavaw.exejavaw.exejavaw.exe

pid	process
4820	MsiExec.exe
2776	MsiExec.exe
1932	unpack200.exe
2268	unpack200.exe
4308	unpack200.exe
4780	unpack200.exe
1964	unpack200.exe
3660	unpack200.exe
4492	unpack200.exe
716	unpack200.exe
1852	javaw.exe
1852	javaw.exe
1852	javaw.exe
1852	javaw.exe
1852	javaw.exe
2776	MsiExec.exe
2776	MsiExec.exe
2776	MsiExec.exe
2776	MsiExec.exe
6120	javaws.exe
6140	javaw.exe
6140	javaw.exe
6140	javaw.exe
6140	javaw.exe
6140	javaw.exe
4584	jp2launcher.exe
4584	jp2launcher.exe
4584	jp2launcher.exe
4584	jp2launcher.exe
4584	jp2launcher.exe
4584	jp2launcher.exe
4584	jp2launcher.exe
4584	jp2launcher.exe
4584	jp2launcher.exe
4584	jp2launcher.exe
4512	javaw.exe
4512	javaw.exe
4512	javaw.exe
4512	javaw.exe
4512	javaw.exe
2464	javaw.exe
2464	javaw.exe
2464	javaw.exe
2464	javaw.exe
2464	javaw.exe
1472	javaw.exe
1472	javaw.exe
1472	javaw.exe
1472	javaw.exe
1472	javaw.exe
4344	javaw.exe
4344	javaw.exe
4344	javaw.exe
4344	javaw.exe
4344	javaw.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/876-0-0x0000000000130000-0x00000000001BC000-memory.dmp	upx
behavioral2/memory/876-79-0x0000000000130000-0x00000000001BC000-memory.dmp	upx
behavioral2/memory/4044-82-0x0000000000130000-0x00000000001BC000-memory.dmp	upx
behavioral2/memory/876-1623-0x0000000000130000-0x00000000001BC000-memory.dmp	upx
behavioral2/memory/876-1763-0x0000000000130000-0x00000000001BC000-memory.dmp	upx

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

61 4952 msiexec.exe

flow	pid	process
61	4952	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

MsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	MsiExec.exe

Drops file in System32 directory 5 IoCs

Processes:

MsiExec.exe

description	ioc	process
File created	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\javaw.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	MsiExec.exe
File created	C:\Windows\SysWOW64\javaws.exe	MsiExec.exe

Drops file in Program Files directory 64 IoCs

Processes:

MsiExec.exejavaw.exeunpack200.exe

description	ioc	process
File created	C:\Program Files (x86)\Java\jre7\bin\dt_shmem.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\javaws.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\JdbcOdbc.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Lagos	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Edmonton	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Juneau	MsiExec.exe
File created	C:\PROGRA~2\Zona\Zona.jar	javaw.exe
File created	C:\Program Files (x86)\Java\jre7\lib\deploy\messages_fr.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\security\trusted.libraries	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Kaliningrad	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Funafuti	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+6	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\javaw.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jsoundds.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\unpack200.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\meta-index	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Maputo	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Dawson	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Pangnirtung	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\javaws.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre7\bin\fontmanager.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jawt.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Reykjavik	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Monaco	MsiExec.exe
File created	C:\PROGRA~2\Zona\zreg.dll	javaw.exe
File created	C:\Program Files (x86)\Java\jre7\lib\ext\zipfs.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Tijuana	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Cordoba	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Mazatlan	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Lindeman	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-13	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Honolulu	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\deploy.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Matamoros	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Ashgabat	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Damascus	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Guam	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jfxwebkit.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jp2native.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gif	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Guatemala	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Antarctica\Rothera	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Riyadh89	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Kerguelen	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Hobart	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\UTC	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\currency.data	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\jfr\profile.jfc	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Nicosia	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-4	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Fakaofo	MsiExec.exe
File created	C:\PROGRA~2\Zona\Zona.exe	javaw.exe
File created	C:\Program Files (x86)\Java\jre7\lib\content-types.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Havana	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Atikokan	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+5	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Easter	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\java_crw_demo.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Montreal	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Nassau	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Magadan	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Yekaterinburg	MsiExec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F03217080FF}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB67.tmp	msiexec.exe
File created	C:\Windows\Installer\e58029b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58029b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BE.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI674.tmp	msiexec.exe
File created	C:\Windows\Installer\e58029f.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

MsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "41797256"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0036-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_26"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_14"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_37"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_27"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_28"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_17"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_05"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_84"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0050-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_50"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_42"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_74"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_17"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0085-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_81"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_45"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_30"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_08"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_25"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_19"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe

Modifies registry class 64 IoCs

Processes:

MsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_20"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_52"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_02"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_16"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_18"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0052-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_47"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_77"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_12"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_30"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0066-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}\System.ControlPanel.Category = "8"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_72"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_78"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_75"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_81"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_84"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jp2launcher.exe

pid process

4584 jp2launcher.exe
4584 jp2launcher.exe

pid	process
4584	jp2launcher.exe
4584	jp2launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1092	msiexec.exe
Token: SeSecurityPrivilege	4952	msiexec.exe
Token: SeCreateTokenPrivilege	1092	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1092	msiexec.exe
Token: SeLockMemoryPrivilege	1092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1092	msiexec.exe
Token: SeMachineAccountPrivilege	1092	msiexec.exe
Token: SeTcbPrivilege	1092	msiexec.exe
Token: SeSecurityPrivilege	1092	msiexec.exe
Token: SeTakeOwnershipPrivilege	1092	msiexec.exe
Token: SeLoadDriverPrivilege	1092	msiexec.exe
Token: SeSystemProfilePrivilege	1092	msiexec.exe
Token: SeSystemtimePrivilege	1092	msiexec.exe
Token: SeProfSingleProcessPrivilege	1092	msiexec.exe
Token: SeIncBasePriorityPrivilege	1092	msiexec.exe
Token: SeCreatePagefilePrivilege	1092	msiexec.exe
Token: SeCreatePermanentPrivilege	1092	msiexec.exe
Token: SeBackupPrivilege	1092	msiexec.exe
Token: SeRestorePrivilege	1092	msiexec.exe
Token: SeShutdownPrivilege	1092	msiexec.exe
Token: SeDebugPrivilege	1092	msiexec.exe
Token: SeAuditPrivilege	1092	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1092	msiexec.exe
Token: SeChangeNotifyPrivilege	1092	msiexec.exe
Token: SeRemoteShutdownPrivilege	1092	msiexec.exe
Token: SeUndockPrivilege	1092	msiexec.exe
Token: SeSyncAgentPrivilege	1092	msiexec.exe
Token: SeEnableDelegationPrivilege	1092	msiexec.exe
Token: SeManageVolumePrivilege	1092	msiexec.exe
Token: SeImpersonatePrivilege	1092	msiexec.exe
Token: SeCreateGlobalPrivilege	1092	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jp2launcher.exe

pid process

4584 jp2launcher.exe

pid	process
4584	jp2launcher.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe41javaSetup.exemsiexec.exeMsiExec.exejavaws.exe

description	pid	process	target process
PID 876 wrote to memory of 796	876	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	cscript.exe
PID 876 wrote to memory of 796	876	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	cscript.exe
PID 876 wrote to memory of 796	876	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	cscript.exe
PID 876 wrote to memory of 4044	876	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
PID 876 wrote to memory of 4044	876	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
PID 876 wrote to memory of 4044	876	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
PID 4044 wrote to memory of 4604	4044	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	41javaSetup.exe
PID 4044 wrote to memory of 4604	4044	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	41javaSetup.exe
PID 4044 wrote to memory of 4604	4044	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	41javaSetup.exe
PID 4604 wrote to memory of 1092	4604	41javaSetup.exe	msiexec.exe
PID 4604 wrote to memory of 1092	4604	41javaSetup.exe	msiexec.exe
PID 4604 wrote to memory of 1092	4604	41javaSetup.exe	msiexec.exe
PID 4952 wrote to memory of 4820	4952	msiexec.exe	MsiExec.exe
PID 4952 wrote to memory of 4820	4952	msiexec.exe	MsiExec.exe
PID 4952 wrote to memory of 4820	4952	msiexec.exe	MsiExec.exe
PID 4952 wrote to memory of 2776	4952	msiexec.exe	MsiExec.exe
PID 4952 wrote to memory of 2776	4952	msiexec.exe	MsiExec.exe
PID 4952 wrote to memory of 2776	4952	msiexec.exe	MsiExec.exe
PID 2776 wrote to memory of 1932	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 1932	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 1932	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 2268	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 2268	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 2268	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 4308	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 4308	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 4308	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 4780	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 4780	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 4780	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 1964	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 1964	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 1964	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 3660	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 3660	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 3660	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 4492	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 4492	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 4492	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 716	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 716	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 716	2776	MsiExec.exe	unpack200.exe
PID 2776 wrote to memory of 1852	2776	MsiExec.exe	javaw.exe
PID 2776 wrote to memory of 1852	2776	MsiExec.exe	javaw.exe
PID 2776 wrote to memory of 1852	2776	MsiExec.exe	javaw.exe
PID 6120 wrote to memory of 6140	6120	javaws.exe	javaw.exe
PID 6120 wrote to memory of 6140	6120	javaws.exe	javaw.exe
PID 6120 wrote to memory of 6140	6120	javaws.exe	javaw.exe
PID 6120 wrote to memory of 4584	6120	javaws.exe	jp2launcher.exe
PID 6120 wrote to memory of 4584	6120	javaws.exe	jp2launcher.exe
PID 6120 wrote to memory of 4584	6120	javaws.exe	jp2launcher.exe
PID 876 wrote to memory of 4512	876	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	javaw.exe
PID 876 wrote to memory of 4512	876	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	javaw.exe
PID 876 wrote to memory of 4512	876	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	javaw.exe
PID 4044 wrote to memory of 2464	4044	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	javaw.exe
PID 4044 wrote to memory of 2464	4044	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	javaw.exe
PID 4044 wrote to memory of 2464	4044	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	javaw.exe
PID 4044 wrote to memory of 1472	4044	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	javaw.exe
PID 4044 wrote to memory of 1472	4044	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	javaw.exe
PID 4044 wrote to memory of 1472	4044	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	javaw.exe
PID 876 wrote to memory of 4344	876	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	javaw.exe
PID 876 wrote to memory of 4344	876	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	javaw.exe
PID 876 wrote to memory of 4344	876	92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe	javaw.exe

C:\Users\Admin\AppData\Local\Temp\92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\cscript.exe
cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
2⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\92466b4aae1db6ad9cf80e7d5dddc379_JaffaCakes118.exe" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
"C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Program Files (x86)\Java\jre7\bin\javaw.exe
"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Roaming\Zona\tmp\18467Zona.7z" "C:\PROGRA~2\Zona" "C:\Users\Admin\AppData\Local\Temp\zonaErr_core_-558109392.log"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2464

C:\Program Files (x86)\Java\jre7\bin\javaw.exe
"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Roaming\Zona\tmp\6334appdata.7z" "C:\Users\Admin\AppData\Roaming\Zona" "C:\Users\Admin\AppData\Local\Temp\zonaErr_plugin_-558108236.log"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472

C:\Program Files (x86)\Java\jre7\bin\javaw.exe
"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4512

C:\Program Files (x86)\Java\jre7\bin\javaw.exe
"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4344

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 05BDA3611E878B8DB6455DFA4B13671B
2⤵
- Loads dropped DLL
PID:4820

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 85294F13B2DF8997F8D6E6D7BC3C0E0A E Global\MSI0000
2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4308

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:4780

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3660

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4492

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:716

C:\Program Files (x86)\Java\jre7\bin\javaw.exe
"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852

C:\Program Files (x86)\Java\jre7\bin\javaws.exe
"C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:6120

C:\Program Files (x86)\Java\jre7\bin\javaw.exe
"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6140

C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe
"C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58029e.rbs
Filesize
10KB

MD5
a74e701082505c3d383ea8729888c337

SHA1
711b197c20c29f8da6b2f2e3879e31e3bc087b00

SHA256
0296ad978c99f13fd2fd163110e6d78f94ab07cf3150c48d654300e8dd1c32c3

SHA512
000c297c0cfa171d7aec9addc4f6cb211e1252d7e5a54ffac9855b10108ee99dd1c7a01eb1d5c29fe91d561aae9cea3dc5c376de41e04c88ff4779f198c44916

Download Submit
C:\Program Files (x86)\Java\jre7\bin\MSVCR100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Java\jre7\bin\WindowsAccessBridge-32.dll
Filesize
95KB

MD5
1722510af00ea3c7406681b47bf442f7

SHA1
cafac266d52d78d3743c31ebef22a894781e0de5

SHA256
4010a3ec604a327861bedf01626c12eaded9d381b6e4f0e6f760895838834a21

SHA512
31a2ce3d5eb9828cbb82d2a7e29f2c5bf46528d38f25827329512cedde37bd03b3cfdba0aba3320b6c0e7779588958e83bff735f6059aad37172598e70e863eb

Download Submit
C:\Program Files (x86)\Java\jre7\bin\client\jvm.dll
Filesize
3.4MB

MD5
27147e1e3faf9b5ccda882cd96f2a85c

SHA1
7103f60121727917f812bfc7cdff5347fc17cc8e

SHA256
500d359211ece211cf672de328345876f016fb4a476b2a03cbc3b8b89023ae1f

SHA512
0866c604911e243687e7fe721142eb882b19691c902736b59ba304933463d8c9154ecc319b91c9771cee8139e151cc2a2e960bc7a93ed97352cf5232a0964194

Download Submit
C:\Program Files (x86)\Java\jre7\bin\deploy.dll
Filesize
371KB

MD5
87ec9d4a00d34eb6a0f8f92e1d1cc08e

SHA1
bee4ecae201905096dd44d1d348ecb3556d90832

SHA256
352707a271a9ab5d0e190a539b6468d6c6c5ce9675b300acf2305aa1f30625d8

SHA512
5b7f9866168ad7948a5a80078b14ff747201d17922ca907072a081e0078f6ac68446ddd36b027b4a17f5afa7d1bb4962642cff28cf66867171ebb78735f242d2

Download Submit
C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
Filesize
864KB

MD5
bc3a575dfb1a58d35e8617f2966bf1ea

SHA1
6353630f62e246d7f462134e8d10a7a42935e20f

SHA256
c029fd3c6ffd2158d0633fc122786838a6f5d3cc7ef78bbe934697015c8c63dd

SHA512
c976da30d343f8e104bec72300dc0c17e582e380f0a3ae85b242dbf2d5b40459feb4a3b7789fb8d755b21cbaa0940038d20dbbf1296a48e77b461092abbbe514

Download Submit
C:\Program Files (x86)\Java\jre7\bin\java.dll
Filesize
117KB

MD5
a258a133f7d565600647a248ab95792c

SHA1
1c6a855ca1fc04413b906b0b17609eff38317161

SHA256
81ad5696a6fcad89127fc7a428636d431b446ff1ee0c37bf87e8d513a8bae7af

SHA512
bf9dd97947eb0c71243ae28255af54b06d9e17af7ade666538dd93f9fdf6d8fbc3855f48bfaf6522dbd9ce3c6cff655581f092709670606d033f2321b1f4a5e7

Download Submit
C:\Program Files (x86)\Java\jre7\bin\java.exe
Filesize
171KB

MD5
88651044108e995f9801e35d2582491c

SHA1
abbf404c0253d085223a64ab947e1057c4211c9c

SHA256
c7fd72a0730b377c6da5ac80cdaf5f4cca84cc999a563a4c420fe5a8576810f8

SHA512
486b1d7ad7c3debcb8d70f9351adb08c8321c4cfb409a00ff818be1dacdc376a0eded630ccdc74aa99cc472589b88c9681989076fd78eb109759d33e7bf70543

Download Submit
C:\Program Files (x86)\Java\jre7\bin\javaw.exe
Filesize
171KB

MD5
64e2bb67ea740860510dcc5c2b6ffa2d

SHA1
6c5996358264624cdb4a075acc4f0b46177cd259

SHA256
844ab2231f45fad60d81770ea36d9937da9aa72cd905ce06e7471ddf9d69263b

SHA512
ed24331883ada44d8b034f5c8bc458e53234109d5cd02a27989972033f5b3305d23365106ce80be81caa16e472c14c103e457a1e0d138eb0d95036e58d877462

Download Submit
C:\Program Files (x86)\Java\jre7\bin\javaws.exe
Filesize
266KB

MD5
2b4493bb1f94580c41def972ea9a887e

SHA1
880ca8b20c6df9a6a176b91cc50304cb0fe66d06

SHA256
841339373958786d9c93a7dad5de8fd213ed6b5ad69623f5a5762a453c48e0a5

SHA512
b43e54f2c1f3e0a3c3d2fcee518e47d17476bb735606351e41b49e97e10af758ea9a539ac370a2d12cffa93e3e752e829db969968664c59386f65b732c29e40e

Download Submit
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
Filesize
145KB

MD5
0d46182b6134aa9c7acd16133d67e4c3

SHA1
7b5be3d65e5e744723bf55a08f9dc1042585d5eb

SHA256
c89091f2a4de2fcf10b30e54a74ec5764e2dfc0577f4f1d879ac8816e3b08bcc

SHA512
735b6c6bd69b22a71c15ae44c6fa1693700321dc3b4b2367ce05d5c37df62e45d1d3836c2c0f5e44be1036aeb11a533c2a4dbec55163b4a15adfa1c8ef75673b

Download Submit
C:\Program Files (x86)\Java\jre7\bin\verify.dll
Filesize
38KB

MD5
cb89b1d71061f5ec52468528ecc0b1fc

SHA1
6feb23a8b5719c8997de92c7da644807fcba8819

SHA256
87d8d59972e73700507c07cee8750b0053c6a0899410338722a00c2803d39ee6

SHA512
2ff0ed38c7f28eb7ea16f24a0841dfb3306c4fec48ded5fddec8c3140f1a425433a444fe6b6cc4c17b3a39841c8ab0c23d7c9525c119c1b9d6daac2c17a4e4b0

Download Submit
C:\Program Files (x86)\Java\jre7\bin\wsdetect.dll
Filesize
159KB

MD5
958bc8d82e4d0a5b51536bb4fc4fb6d6

SHA1
626312fa01c72ec5c85c9262ba0ae97a8b1f5b25

SHA256
2ef891881d506084ed182a0ac58b10dbe8c45877ef889ac9105f19431beee4ca

SHA512
fe17b58e3eed817619bebf6d091aee99fdc331c9c5a4163e9f5993b41b2e7362365da210e0636755ada6b8838012de1bc5435b8670aa12f378a3c9e3a9f5af04

Download Submit
C:\Program Files (x86)\Java\jre7\bin\zip.dll
Filesize
66KB

MD5
1ecf056944068b933ba71cda3edc4a68

SHA1
2052b2138db0d9a368942470b41bb6fc5b1d4007

SHA256
35ce7ab154a38e97951714e17f7689873d89e8c01188de6e5cd741bc0ca3e384

SHA512
cadf312841d392a9970cc068b72063e17454d5e6738b46ec9622257d9dfc0bcad0d9420352752bf7d8f8e8ceaf6aca97d83896f753dc12cfeac3e5efb5e1ab05

Download Submit
C:\Program Files (x86)\Java\jre7\lib\charsets.pack
Filesize
1.3MB

MD5
549bbcd204914b543dafee670f110834

SHA1
012461935191a55482e8c3d453d245e965a10a2a

SHA256
8ea5af036ec067a0abcf87b8f5921e2281ff9d259e1d4c3bbe7fa9037cd87d02

SHA512
b0346a2ec52ce47351286f27f347f5fea99e160aedde52bcf74e1629739704bd975c9c99d8db6be3b6bd45e7fa933616fa081eda49e9b911efcc031c7241400e

Download Submit
C:\Program Files (x86)\Java\jre7\lib\deploy.pack
Filesize
1.7MB

MD5
b2a448112b7c886ccce9b6a3d5efd8a0

SHA1
660bc9efe960015b208a421b1a63443e7151024f

SHA256
928f6b847f94b920c462a08c43f0dfd3f7c40076b1cd60545523a5c27a4870ca

SHA512
871da63f4eaf16d77ba6c19c10d8ddd8e94f744c20a70e24793f837023d20e56698d85f67498bc06ec37b73a8f376c220afbe7f3884b00536b710ff49c339b3f

Download Submit
C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack
Filesize
736KB

MD5
c8dc1cfeaf0fefc39ed0f1de4eaa175c

SHA1
11cacbb9e5724d37789455de37a225d8e0c648a1

SHA256
da2803a283d28882182e1e280b4f25ee1579a5805e73fcc9882e63968f102a8f

SHA512
6b419ba94ae90f8caa3a57690f2ec7e249c9fb8ab86819439621cde1243c7636ee76820622ce32ed483ce76976f7ced74778898fc2725b1a2407b039fb53508c

Download Submit
C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg
Filesize
686B

MD5
5147cce789cd18ad6b2996eb89e5d866

SHA1
756f1fffe96ef581f0d4d47253523544c89a2622

SHA256
c471d622198461715f245d478484fc7c8de533313c56e922931a875460a5aa88

SHA512
55f53adb70b1cf741cdf0dee74d92d2bf4c96954a760afae289972a0ea9bb27bc5eb4df1bd41829c7c484211fcb294fe296a4d560d8a1cdbb8c707b3bf2a79a6

Download Submit
C:\Program Files (x86)\Java\jre7\lib\images\cursors\invalid32x32.gif
Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Program Files (x86)\Java\jre7\lib\javaws.pack
Filesize
205KB

MD5
491bce42c6cd8af88a2e11f37711ed4f

SHA1
3de7c18fee44465a6afe34e068f2a64dea9fa324

SHA256
ee43869ee94eefe241d661101ff6a03cc276f8e558967b1b350ea088f1dad2e2

SHA512
1e5f99466b77b5a82c23449434272acf5746811ef96b98105f89b3339ccd86734d7713c94b773755219345d673a761a356fbe846a38e7893bd8894e43cf102e4

Download Submit
C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack
Filesize
3.2MB

MD5
dfaa6429468d56ef77932cf26a495f75

SHA1
8a21a29225640f1829ae328a24ef9cb5e215a4e0

SHA256
8c481a549acfa58b1bac0385906febe33a928d004a529fec505b6a9228678fed

SHA512
6c19ed573b111315648de0646441486729b304452c15b2282938460a2339db0be4e1eb19cf6f2bf17f73037811ca2553a15957ea96b9d9af64a93045407c1148

Download Submit
C:\Program Files (x86)\Java\jre7\lib\jsse.pack
Filesize
141KB

MD5
31b4d9c29d29567b0ae3037fac9fbdc6

SHA1
8b5d1b1a309177466d71a742414d441f600ea38e

SHA256
9f031f2f1292bb311c400b0a93a11b78a08f013332b1263ea58617b6548862eb

SHA512
b4a8a3a1e837f98a3164e19a6fe939819eb336892335de975822890b52b5923d85fee4c4e5464ccb0d46c847f37f7da98a839aadbf4d20fca355f396a53836c0

Download Submit
C:\Program Files (x86)\Java\jre7\lib\plugin.pack
Filesize
489KB

MD5
47d6cfa1b01a6d41885504bbc3b1919a

SHA1
3838060f9d530c972d65f36fa38b265120a218aa

SHA256
93defaaf7f82e2e9565b27dd31a41c89e02d1b7719d0da0b940a55dcc75b91e5

SHA512
b0df9b174624234aaeb2b50cf611f698377925a0ae5c5ee9da46c65fcecf4d28941d1bf2332316d9327981c1f8c6c4fecf750e013f04eef63f5df52d27593135

Download Submit
C:\Program Files (x86)\Java\jre7\lib\rt.pack
Filesize
13.1MB

MD5
b6d75e8c90c79af1579769f10b1e5c88

SHA1
146cb3f05fa161885e8faf079fa2bbd89b5c5b18

SHA256
82dc6806d9ec9eb16604f90a5c78d0d882b69a0e718d8f6c3c6b7c9719887b7e

SHA512
02cdd0c0d6e71bc09120db2cd3b9471c0176567d92bb74a08c13e82c1d23722eb4afac41583a11dee3fc531fd442754ee0f5cb964898ec036ddd432947996037

Download Submit
C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT
Filesize
27B

MD5
7da9aa0de33b521b3399a4ffd4078bdb

SHA1
f188a712f77103d544d4acf91d13dbc664c67034

SHA256
0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d

SHA512
9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6

Download Submit
C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+5
Filesize
27B

MD5
a2abe32f03e019dbd5c21e71cc0f0db9

SHA1
25b042eb931fff4e815adcc2ddce3636debf0ae1

SHA256
27ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78

SHA512
197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2

Download Submit
C:\Program Files (x86)\Java\jre7\lib\zi\HST
Filesize
27B

MD5
715dc3fcec7a4b845347b628caf46c84

SHA1
1b194cdd0a0dc5560680c33f19fc2e7c09523cd1

SHA256
3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08

SHA512
72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662

Download Submit
C:\Program Files (x86)\Java\jre7\lib\zi\MST
Filesize
27B

MD5
11f8e73ad57571383afa5eaf6bc0456a

SHA1
65a736dddd8e9a3f1dd6fbe999b188910b5f7931

SHA256
0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e

SHA512
578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
201089e7834f6530271b9e84d35a93ee

SHA1
be3b9fdd64413232576a6487448df774c2062300

SHA256
284ed1070395919f53f42a6dbade26ccf684b84b8ad230bb3a778c913ef803aa

SHA512
baf2582c4bea607f4d4b7cb0a4b37acf1df75ecd424e35510c48beceaacfb287a04e073faf4e7666607a44990a510acb6e052eab340b40eac22196d195d821e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\Data1.cab
Filesize
24.6MB

MD5
003a488a2139105704566b47eb29520d

SHA1
52d672a592cd52ad5e2e7239421f2659e0d17afa

SHA256
a84262dd486cf59049d0d2d9a1b00dfb5aa5271592edd8de0e052f12496dec67

SHA512
ab34061f8e04bb1d59f1b35e0e1848a176f2b119095e79015130da3a4384c70fa35ecbe1625e07c0eb0de49c67bcdbba59f10fa1dfbbb2066dcb6ee6825215de

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi
Filesize
898KB

MD5
e24d9b483ce7a3a6a4406111883457f7

SHA1
0d5efff0d110c48f5e6f5d438967427f1e2dbf84

SHA256
dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c

SHA512
b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
8KB

MD5
97f33c577afbcbc5ef997691b9981936

SHA1
cf92f385942ac8353fca526bf17679c7af97c3ce

SHA256
6ae7847e9226910278a3805b1ff82bdf71fce014a9084ca48f8d301846ffeded

SHA512
6218a5bb6867bb969f2d0b7366b86daca8f333a487e30d9a431f0a27c67b94ff87cf1c0deb09e4c22ed66bfc94ef02b24be206ad45ccb33b3941afa7f6bec20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
1KB

MD5
3ae554bcf2afa7c78e5ddec718541ba5

SHA1
d6ee00053c0154b8d34db55e578400a88fd80512

SHA256
6cc04488d86c01af4824abc9649576853532b39638e30931c5c857e81b943869

SHA512
d078e37cce640c6ffab26f0f817cb653471bcbffe3da39167a3c590a8dd4f79e7b4338bbed5e246093e8f76cb5f18fcbdb14676c18b0c4205ae2df066821e198

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
4KB

MD5
b7fc59c789e4bcc44dbeffa6cad20c74

SHA1
480e44fb0e5454e8d123f33d0b88d179bcc35604

SHA256
e65fcc857685c05e1437c55fbbba6675f5a3612a3910e5a0543e3c2667c1599b

SHA512
f0dda17c3df0160afd7fb5cebdf961b20e8a0d1ac3cdab1e5bd9f2ddf31dc04cbd77ed6577adead4ff34f65595769a1ebba4fb35d0084093e01984967505008f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
4KB

MD5
17c03241daef152ba687bbdbdd346902

SHA1
3204a68a2c1695dd329c72b90384af7d3079ec57

SHA256
837bfbb16992d28a533c4b6c2f44144e9bf370b89b6ec38e58de1ec127ebedaf

SHA512
11b561d178fba79a89b8689d2bf672ff8f04034e0fbdb7ee8c45be4bc62a083d574fc574782cd15155e2c7bb5dab37a27499758bf236f26d5dc3ec25d4be9778

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
4KB

MD5
f676c24ce9b45eebf1f2cc3a10c8b6b4

SHA1
d8e79ff9020aaf39c26c86adc85b58d435ef7b7e

SHA256
111f4e62997e41aa096c3065d7b1319645d89255b6a7a94568818914f16ad2a4

SHA512
577d8f7c43a37a3e4a50499307269120dd113a3690288d1d7792717c4cd35bc6e6a99e256ffb2e78650e84a52a4ca3b36ac2b4c18b5c3ab57d97699f8146919a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
5KB

MD5
f24ba44cb86c4d69e700e42b63dba589

SHA1
821ced5ac80acda349707688831c506d9e3cf91b

SHA256
e5887fc47ce7c2b633b3e8e839478bfe5dc9179cb2442931786703ed1c285d3f

SHA512
71fd693c6a92a2b0202533eb82f8adc2acc5038d0c8bcec31297f08549e89bef990e887ea27f2aca8e86412a57b9b6f408c46d1f8c020018075968f1ec28bc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
6KB

MD5
ebb6b41d9d889000b6518d185c520ca8

SHA1
f4fb8bd6c6738c9c04b8f081c16e3d88d12978d1

SHA256
0869b4420daeed458dd2e94000f9ff349b6c34ac9426af2728d2966dd8138db9

SHA512
e22e0f7333b134e88bb448d42e4ec0049f127b63307c9e905e1c9ae9cd9f01d997b029f9a0944e5e92331cb83df5fdfb53b3aa9c91eb93f00f3cb558d83a2093

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
Filesize
1KB

MD5
59fbfd892b88251a8b6b1991b8487394

SHA1
bdd3d60646b50d436677e011d0d8a01edf98944a

SHA256
3a54f7eb675cc62cba8acf532bfdf6e1bec560bebb3da90406c1c702e2746497

SHA512
b3dca9338f0f78c4de60d47faed3c030ec103213fe4d2169503548aab53c3c4521591b8b6977f52e8772a474c89a70d055df36dbe33d8ea95fb821e7062bb9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs
Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
22KB

MD5
525bf7f5b63ffd5e86fa3aee92551c21

SHA1
bf3cd939fe57f5076afbd231cb5b1b0ea03ba5d0

SHA256
e0e88bda4bcbbcfadb1009060372744f8b3f3628ae29b1d310a99255ec76aa7a

SHA512
825d048f8a3eb7ec88bda27eaf34b5c05a9545a12d48d29fc264aeae571fb2b4aa2957cd1b5459d53dc5d18b7968760d47136a6ec099c5612c3a7ab677b24d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
23KB

MD5
18f48d6714640435ab93cad409e10070

SHA1
fd33c178274fb08adb77cf5c695ce29ba32417bd

SHA256
f7468e1cf9cb05006bb7eebf4ce106f98828351ac7d8637486794ba90e5f5bc2

SHA512
632e4957e610ab787ed9a2cf3e8d988acb16e4cfc4d4df9b52682ca54fa4f7fed980b7b5dd69b1c4dd71554894ee5e5199da630b721f3c7403652f923a16dcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
23KB

MD5
a2623660c345873243bb8f88145663b5

SHA1
d8cabac7b4057649bb6ca31504719fb0881c7190

SHA256
3532daff57c2b70280ef79edf17af55d108b2d46b88bdbf248fab74db2a43d14

SHA512
60dc96479ae28a9011dee7a2e8ff2cb60ab548a6164ba8f5562fcd1cb154362677a68c98c62aa62333ac9812d4ddb3e332957efdbc5acfb5eade18f111c21f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
24KB

MD5
e2aaff5f40ba3fbc2df129ed2157dd19

SHA1
8d6b9aeeae45922687e24365cecffdc0e4997f08

SHA256
1e1a1fcf7c15b8f6019b1696765c696e69a510bb25fd29daa4f8286b206e738a

SHA512
e1e5a42c4b5bac65b4747b149a694d738fe7e4e7c5398ef564885796e4d9d3cf5ae4ef1cd2066dd6ba24463654c090d79ac84e0f1ad76575155deab8088e6843

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
25KB

MD5
d2c611a13ec2cd37d228aad0305dc734

SHA1
b7d5dd93fb333c96f9d0c516fc862a1f6dc31ae8

SHA256
648dac2d3607a22d24056d6d29f1e43343c0e812faffa92a381f627cc42789d4

SHA512
5e73bcfaf14e4a45068a74623e9ed39276844efc6269604ea231f1457c5837605e34ebc7fbf106156b0d653c3a0ce90bf0817d09a44a7b268718747506da70d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
25KB

MD5
250dd63c170bf6cc59e2a7a34edb348b

SHA1
da811a6038e340332de88fe1c2a574ee1bb8a8a8

SHA256
f46f4d796f236751d277dc24184765679d409c0e454ae07587ca09e0710a0f1f

SHA512
ffc14529043f3231ace3beda1cb14de9ef37d24221d462138eb8fe9cb255eacba42bb864e41a575b7c14773ae577f6e44afcd408f2415678f1019895e3c376c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
26KB

MD5
6395ef19c45e81bddd74837a1394acb5

SHA1
92a97d8fa5c76891d0df4b4d9812370ee85859b9

SHA256
a0da062ab80c0dc8d84f51bd76faf53001cd4b48bcbc0ddae6d75e210ea92ccb

SHA512
5bb7439566d386aa46774e71378284fff75855f2b5971345d54e5142a23a9488a49b1de2a9533d37cb3f33c8d50cc64727daac7c96ca6dd3779144379a068fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
26KB

MD5
cc147c8509b89de26462cd73e51d3df4

SHA1
b37e85f40a18c1832530a760b309799378f7f6a9

SHA256
2f0f162f348b4020566418fd30c090fac83883284dde7c163b923f68d0886c69

SHA512
b8ef88fc7c91371605dc12a6fae41fa576836ad7eecbf728cd78ab5de9b235c221d5f43d2e9f9adc234f6ae5c3e823dd1b213aaa0340aa8d341015ad393a3e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log
Filesize
3KB

MD5
a571a80e3e7f07d8d5318528ffcf057f

SHA1
e3ec23f4b500ff697f327a186c6b7a1d0203d242

SHA256
9bf99654183263090ac650e9f691e074a0de278848a0b618df2c074d9fac23e7

SHA512
70db57b8e9aafeaf7fb4e7c7bc4a7b91297b3e5ed7dbe683c63c8191bd98c0a92457d92ee4ee379eca4935c85362cbbfb1bc9fa4a00cc010afec40752d641be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
295KB

MD5
902d0dd64b9c8ca0e4a9160ba9e849b4

SHA1
c7ca2a744397150af56498093ac0a46e257002c6

SHA256
6f444f9831bcff56977515e858e4dd28d8410ca44cac0e7de52f47bdcfa8931d

SHA512
830dfe6acf33b459de6961046d4b1c192fdeedf87488519558aba29313f8ec83a2d2ec9a0af4afd89f32f343905c251626b08d4d79ac0f44d59a3f257f3e1755

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
296KB

MD5
f8c460488a1e6d7ab73e9dba10a0ed34

SHA1
ef6d76f83fdb8750cec426b2d1bc1b191e811722

SHA256
54042a5789eb06349be61d5b0335651ac8612e32396198c9ffef404257227b31

SHA512
9ce034760436f69b8c1e65a006604ea649668105f3cee8d2f53208f917d0b4810371d06cbf334f11d25835db637cae46c991652d7dad61c9ebe252833aa75a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
295KB

MD5
31c48dc2d3d0fbd61798fc25cf65340a

SHA1
53e4a0c492307669c86df7bf71bc9561d8f3d7cc

SHA256
2cdd27f358e658b667308e590302b13871d60a864ae04ad6d4a0c448d2665495

SHA512
6c5ade7ae1e4a57e08d5d546aa1f4d48af0d497fb0b4fcc023b6f15408a22a09b8d67f0f6fd31012fbc1a58f2190c873a501dd8fdbd6b900b522944c72ea26f7

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
Filesize
28.1MB

MD5
f2fd417b6d5c7ffc501c7632cc811c3e

SHA1
305c1493fca53ab63ba1686c9afdfb65142e59d3

SHA256
a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9

SHA512
289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b

Download Submit
C:\Windows\Installer\MSI4BE.tmp
Filesize
202KB

MD5
9f84d910602183954bed6d9660600783

SHA1
82e3b122dc63e0a333bca531dd16667d5fafbf23

SHA256
bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e

SHA512
09fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9

Download Submit
memory/876-0-0x0000000000130000-0x00000000001BC000-memory.dmp

Filesize
560KB

Download
memory/876-1763-0x0000000000130000-0x00000000001BC000-memory.dmp

Filesize
560KB

Download
memory/876-79-0x0000000000130000-0x00000000001BC000-memory.dmp

Filesize
560KB

Download
memory/876-1623-0x0000000000130000-0x00000000001BC000-memory.dmp

Filesize
560KB

Download
memory/1472-1725-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1472-1721-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1852-875-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/2464-1685-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2464-1683-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4044-82-0x0000000000130000-0x00000000001BC000-memory.dmp

Filesize
560KB

Download
memory/4344-1756-0x0000000001560000-0x0000000001561000-memory.dmp

Filesize
4KB

Download
memory/4512-1615-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4584-1629-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/4584-1622-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/6140-1497-0x0000000001490000-0x0000000001491000-memory.dmp

Filesize
4KB

Download
memory/6140-1475-0x000000003A800000-0x000000003A810000-memory.dmp

Filesize
64KB

Download