139ee6fc065e526efac3cf24d50d0d95c78e1a10ff2cf40839cd4756fff43e71

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe
Size

206KB
MD5

965abae8ef3e9859e0e473c5f3cffccf
SHA1

6fb809712f1aa97ad226186702c6cc9528144b44
SHA256

139ee6fc065e526efac3cf24d50d0d95c78e1a10ff2cf40839cd4756fff43e71
SHA512

3c040033cf886f1f272d2ba02c6bf2b1e294a8d7dd25286e201c43b4ac9ee7f3e78ee2e8c9c5a340c6a93711258936d23e0391aa62fb2536a58e973fb9e69262
SSDEEP

6144:q8+9tCJQBqCYaM+QcEdNc4fdem9UJNh+ytHFoSyG0:sf2aM+Qcn4V/8NhnpFoSyn

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 18 IoCs

pid	Process
816	41javaSetup.exe
1932	unpack200.exe
1936	unpack200.exe
2988	unpack200.exe
2120	unpack200.exe
1604	unpack200.exe
1752	unpack200.exe
2600	unpack200.exe
2732	unpack200.exe
2764	javaw.exe
2796	javaws.exe
2760	javaw.exe
308	jp2launcher.exe
872	jaureg.exe
2876	javaw.exe
1084	javaw.exe
1964	javaw.exe
1712	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
2620	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe
1268	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
1932	unpack200.exe
1936	unpack200.exe
2988	unpack200.exe
2120	unpack200.exe
1604	unpack200.exe
1752	unpack200.exe
2600	unpack200.exe
2732	unpack200.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2764	javaw.exe
2764	javaw.exe
2764	javaw.exe
2764	javaw.exe
2764	javaw.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2184	MsiExec.exe
2796	javaws.exe
2796	javaws.exe
2796	javaws.exe
2796	javaws.exe
2796	javaws.exe
2796	javaws.exe
2760	javaw.exe
2760	javaw.exe
2760	javaw.exe
2760	javaw.exe
2760	javaw.exe
2796	javaws.exe
2796	javaws.exe
2796	javaws.exe
308	jp2launcher.exe
308	jp2launcher.exe
308	jp2launcher.exe
308	jp2launcher.exe
308	jp2launcher.exe
308	jp2launcher.exe
308	jp2launcher.exe
308	jp2launcher.exe
308	jp2launcher.exe
308	jp2launcher.exe
1600	MsiExec.exe
1600	MsiExec.exe
816	41javaSetup.exe
2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe
2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe
2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe
2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe
2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0033-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0053-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2036-0-0x00000000001F0000-0x000000000027C000-memory.dmp	upx
behavioral1/memory/2620-41-0x00000000001F0000-0x000000000027C000-memory.dmp	upx
behavioral1/memory/2036-80-0x00000000001F0000-0x000000000027C000-memory.dmp	upx
behavioral1/memory/2620-81-0x00000000001F0000-0x000000000027C000-memory.dmp	upx
behavioral1/memory/2036-1159-0x00000000001F0000-0x000000000027C000-memory.dmp	upx
behavioral1/memory/2036-1286-0x00000000001F0000-0x000000000027C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
22	264	msiexec.exe
24	264	msiexec.exe
26	264	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	MsiExec.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\javaw.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	MsiExec.exe
File created	C:\Windows\SysWOW64\javaws.exe	MsiExec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre7\lib\accessibility.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\deploy\splash.gif	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\San_Juan	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Ojinaga	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Sitka	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Vancouver	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Antarctica\Troll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Bermuda	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\cmm\GRAY.pf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Yellowknife	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Damascus	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+6	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\npoji610.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\security\blacklist	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Tell_City	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Riyadh89	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Vienna	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\dt_socket.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jpiexp.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\plugin.pack	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\security\javaws.policy	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Godthab	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\North_Dakota\New_Salem	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Brunei	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Faroe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Niue	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\JavaAccessBridge-32.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\fontconfig.properties.src	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Jujuy	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Chihuahua	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Petersburg	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Swift_Current	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Gaza	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-7	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Mauritius	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jpicom.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\resources.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Belize	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Boa_Vista	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+9	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\WindowsAccessBridge-32.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Paramaribo	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Pyongyang	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Zaporozhye	MsiExec.exe
File created	C:\PROGRA~2\Zona\License_uk.rtf	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jawt.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\t2k.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaBrightRegular.ttf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Hermosillo	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Porto_Velho	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Thimphu	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Chuuk	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\deploy\messages_es.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\deploy.pack	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Algiers	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Brisbane	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\ktab.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Omsk	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Uzhgorod	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Kerguelen	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\deploy\messages_pt_BR.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Noronha	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Sydney	MsiExec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76b812.ipi	msiexec.exe
File created	C:\Windows\Installer\f76b814.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID82A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE0D.tmp	msiexec.exe
File created	C:\Windows\Installer\f76b80e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b80c.ipi	msiexec.exe
File created	C:\Windows\Installer\f76b80f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID5C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID76B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD12.tmp	msiexec.exe
File created	C:\Windows\Installer\f76b80c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b80f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC188.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b812.ipi	msiexec.exe
File created	C:\Windows\Installer\f76b809.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b809.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "14208544"	MsiExec.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_26"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_58"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0085-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_85"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_66"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_09"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_01"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_05"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBB}	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_04"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_47"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_56"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_33"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_13"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0062-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_62"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_63"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_35"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_08"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_08"	MsiExec.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	41javaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	41javaSetup.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
308	jp2launcher.exe
264	msiexec.exe
264	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2964	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeSecurityPrivilege	264	msiexec.exe
Token: SeCreateTokenPrivilege	2964	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2964	msiexec.exe
Token: SeLockMemoryPrivilege	2964	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2964	msiexec.exe
Token: SeMachineAccountPrivilege	2964	msiexec.exe
Token: SeTcbPrivilege	2964	msiexec.exe
Token: SeSecurityPrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeLoadDriverPrivilege	2964	msiexec.exe
Token: SeSystemProfilePrivilege	2964	msiexec.exe
Token: SeSystemtimePrivilege	2964	msiexec.exe
Token: SeProfSingleProcessPrivilege	2964	msiexec.exe
Token: SeIncBasePriorityPrivilege	2964	msiexec.exe
Token: SeCreatePagefilePrivilege	2964	msiexec.exe
Token: SeCreatePermanentPrivilege	2964	msiexec.exe
Token: SeBackupPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeShutdownPrivilege	2964	msiexec.exe
Token: SeDebugPrivilege	2964	msiexec.exe
Token: SeAuditPrivilege	2964	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2964	msiexec.exe
Token: SeChangeNotifyPrivilege	2964	msiexec.exe
Token: SeRemoteShutdownPrivilege	2964	msiexec.exe
Token: SeUndockPrivilege	2964	msiexec.exe
Token: SeSyncAgentPrivilege	2964	msiexec.exe
Token: SeEnableDelegationPrivilege	2964	msiexec.exe
Token: SeManageVolumePrivilege	2964	msiexec.exe
Token: SeImpersonatePrivilege	2964	msiexec.exe
Token: SeCreateGlobalPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
308	jp2launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2648	2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2648	2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2648	2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2648	2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2620	2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	31
PID 2036 wrote to memory of 2620	2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	31
PID 2036 wrote to memory of 2620	2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	31
PID 2036 wrote to memory of 2620	2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	31
PID 2036 wrote to memory of 2620	2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	31
PID 2036 wrote to memory of 2620	2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	31
PID 2036 wrote to memory of 2620	2036	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	31
PID 2620 wrote to memory of 816	2620	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	34
PID 2620 wrote to memory of 816	2620	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	34
PID 2620 wrote to memory of 816	2620	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	34
PID 2620 wrote to memory of 816	2620	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	34
PID 2620 wrote to memory of 816	2620	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	34
PID 2620 wrote to memory of 816	2620	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	34
PID 2620 wrote to memory of 816	2620	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	34
PID 816 wrote to memory of 2964	816	41javaSetup.exe	35
PID 816 wrote to memory of 2964	816	41javaSetup.exe	35
PID 816 wrote to memory of 2964	816	41javaSetup.exe	35
PID 816 wrote to memory of 2964	816	41javaSetup.exe	35
PID 816 wrote to memory of 2964	816	41javaSetup.exe	35
PID 816 wrote to memory of 2964	816	41javaSetup.exe	35
PID 816 wrote to memory of 2964	816	41javaSetup.exe	35
PID 264 wrote to memory of 1268	264	msiexec.exe	38
PID 264 wrote to memory of 1268	264	msiexec.exe	38
PID 264 wrote to memory of 1268	264	msiexec.exe	38
PID 264 wrote to memory of 1268	264	msiexec.exe	38
PID 264 wrote to memory of 1268	264	msiexec.exe	38
PID 264 wrote to memory of 1268	264	msiexec.exe	38
PID 264 wrote to memory of 1268	264	msiexec.exe	38
PID 264 wrote to memory of 2184	264	msiexec.exe	39
PID 264 wrote to memory of 2184	264	msiexec.exe	39
PID 264 wrote to memory of 2184	264	msiexec.exe	39
PID 264 wrote to memory of 2184	264	msiexec.exe	39
PID 264 wrote to memory of 2184	264	msiexec.exe	39
PID 264 wrote to memory of 2184	264	msiexec.exe	39
PID 264 wrote to memory of 2184	264	msiexec.exe	39
PID 2184 wrote to memory of 1932	2184	MsiExec.exe	40
PID 2184 wrote to memory of 1932	2184	MsiExec.exe	40
PID 2184 wrote to memory of 1932	2184	MsiExec.exe	40
PID 2184 wrote to memory of 1932	2184	MsiExec.exe	40
PID 2184 wrote to memory of 1936	2184	MsiExec.exe	41
PID 2184 wrote to memory of 1936	2184	MsiExec.exe	41
PID 2184 wrote to memory of 1936	2184	MsiExec.exe	41
PID 2184 wrote to memory of 1936	2184	MsiExec.exe	41
PID 2184 wrote to memory of 2988	2184	MsiExec.exe	42
PID 2184 wrote to memory of 2988	2184	MsiExec.exe	42
PID 2184 wrote to memory of 2988	2184	MsiExec.exe	42
PID 2184 wrote to memory of 2988	2184	MsiExec.exe	42
PID 2184 wrote to memory of 2120	2184	MsiExec.exe	43
PID 2184 wrote to memory of 2120	2184	MsiExec.exe	43
PID 2184 wrote to memory of 2120	2184	MsiExec.exe	43
PID 2184 wrote to memory of 2120	2184	MsiExec.exe	43
PID 2184 wrote to memory of 1604	2184	MsiExec.exe	44
PID 2184 wrote to memory of 1604	2184	MsiExec.exe	44
PID 2184 wrote to memory of 1604	2184	MsiExec.exe	44
PID 2184 wrote to memory of 1604	2184	MsiExec.exe	44
PID 2184 wrote to memory of 1752	2184	MsiExec.exe	45
PID 2184 wrote to memory of 1752	2184	MsiExec.exe	45
PID 2184 wrote to memory of 1752	2184	MsiExec.exe	45
PID 2184 wrote to memory of 1752	2184	MsiExec.exe	45
PID 2184 wrote to memory of 2600	2184	MsiExec.exe	46

C:\Users\Admin\AppData\Local\Temp\965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
    "C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2964
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\AU\au.msi" ALLUSERS=1 /qn
      4⤵
      PID:1552
  - - C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
      "C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.7.0_80-b15
      4⤵
      Executes dropped EXE
      PID:872
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Roaming\Zona\tmp\18467Zona.7z" "C:\PROGRA~2\Zona" "C:\Users\Admin\AppData\Local\Temp\zonaErr_core_-449582356.log"
    3⤵
    - Executes dropped EXE
    PID:1084
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Roaming\Zona\tmp\6334appdata.7z" "C:\Users\Admin\AppData\Roaming\Zona" "C:\Users\Admin\AppData\Local\Temp\zonaErr_plugin_-449581202.log"
    3⤵
    - Executes dropped EXE
    PID:1964
- C:\Program Files (x86)\Java\jre7\bin\javaw.exe
  "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Program Files (x86)\Java\jre7\bin\javaw.exe
  "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
  2⤵
  - Executes dropped EXE
  PID:1712

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:264
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9D7B25CB6F3A77151C25ED0B6AA4DA0
  2⤵
  - Loads dropped DLL
  PID:1268
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1297603A4A320DCC1FC0E50D9CF96CE M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1932
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1936
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2988
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2120
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1604
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1752
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2600
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2732
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2764
- - C:\Program Files (x86)\Java\jre7\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2796
  - - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
      "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2760
  - - C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:308
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24DFF4A8F891D56024538EDF1BDBA581
  2⤵
  - Loads dropped DLL
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76b80d.rbs

Filesize
9KB

MD5
d857a7e4f5396455f5cfc6876ce72cbd

SHA1
9a36678c871608e34b38f21596a35847e25fc40f

SHA256
84d0378c45f75a5708abb366ff869102fcf0b1c4e19076472f412745e08f9a64

SHA512
f66162e92c5f94887b3b533a87b342d3509a0c60ff9820051ac41be4fe9099456049f491c04154eb97220ca7a1365b283eccaad8c924a762330e1b44ad44b5ea

Download Submit
C:\Config.Msi\f76b813.rbs

Filesize
8KB

MD5
783df9c0549f65023725f8db055db804

SHA1
9c08d29e53e51b0a94b2322c5620508ca8eec0a4

SHA256
1e5431cab5a9442d48e47201f16118e7072906f7f82f758fc0464502e80d4ab5

SHA512
50f5265db66049eaadc97f01b32e29d8651f51d525e2ef3ae9122cf53b582cc743f247562cae80943e1f0cbfcdf527b7ed07bfe5312c70721bc0c9a66ca6a94c

Download Submit
C:\Program Files (x86)\Java\jre7\bin\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll

Filesize
864KB

MD5
bc3a575dfb1a58d35e8617f2966bf1ea

SHA1
6353630f62e246d7f462134e8d10a7a42935e20f

SHA256
c029fd3c6ffd2158d0633fc122786838a6f5d3cc7ef78bbe934697015c8c63dd

SHA512
c976da30d343f8e104bec72300dc0c17e582e380f0a3ae85b242dbf2d5b40459feb4a3b7789fb8d755b21cbaa0940038d20dbbf1296a48e77b461092abbbe514

Download Submit
C:\Program Files (x86)\Java\jre7\bin\javaws.exe

Filesize
266KB

MD5
2b4493bb1f94580c41def972ea9a887e

SHA1
880ca8b20c6df9a6a176b91cc50304cb0fe66d06

SHA256
841339373958786d9c93a7dad5de8fd213ed6b5ad69623f5a5762a453c48e0a5

SHA512
b43e54f2c1f3e0a3c3d2fcee518e47d17476bb735606351e41b49e97e10af758ea9a539ac370a2d12cffa93e3e752e829db969968664c59386f65b732c29e40e

Download Submit
C:\Program Files (x86)\Java\jre7\lib\charsets.pack

Filesize
1.3MB

MD5
549bbcd204914b543dafee670f110834

SHA1
012461935191a55482e8c3d453d245e965a10a2a

SHA256
8ea5af036ec067a0abcf87b8f5921e2281ff9d259e1d4c3bbe7fa9037cd87d02

SHA512
b0346a2ec52ce47351286f27f347f5fea99e160aedde52bcf74e1629739704bd975c9c99d8db6be3b6bd45e7fa933616fa081eda49e9b911efcc031c7241400e

Download Submit
C:\Program Files (x86)\Java\jre7\lib\deploy.pack

Filesize
1.7MB

MD5
b2a448112b7c886ccce9b6a3d5efd8a0

SHA1
660bc9efe960015b208a421b1a63443e7151024f

SHA256
928f6b847f94b920c462a08c43f0dfd3f7c40076b1cd60545523a5c27a4870ca

SHA512
871da63f4eaf16d77ba6c19c10d8ddd8e94f744c20a70e24793f837023d20e56698d85f67498bc06ec37b73a8f376c220afbe7f3884b00536b710ff49c339b3f

Download Submit
C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack

Filesize
736KB

MD5
c8dc1cfeaf0fefc39ed0f1de4eaa175c

SHA1
11cacbb9e5724d37789455de37a225d8e0c648a1

SHA256
da2803a283d28882182e1e280b4f25ee1579a5805e73fcc9882e63968f102a8f

SHA512
6b419ba94ae90f8caa3a57690f2ec7e249c9fb8ab86819439621cde1243c7636ee76820622ce32ed483ce76976f7ced74778898fc2725b1a2407b039fb53508c

Download Submit
C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg

Filesize
686B

MD5
5147cce789cd18ad6b2996eb89e5d866

SHA1
756f1fffe96ef581f0d4d47253523544c89a2622

SHA256
c471d622198461715f245d478484fc7c8de533313c56e922931a875460a5aa88

SHA512
55f53adb70b1cf741cdf0dee74d92d2bf4c96954a760afae289972a0ea9bb27bc5eb4df1bd41829c7c484211fcb294fe296a4d560d8a1cdbb8c707b3bf2a79a6

Download Submit
C:\Program Files (x86)\Java\jre7\lib\javaws.pack

Filesize
205KB

MD5
491bce42c6cd8af88a2e11f37711ed4f

SHA1
3de7c18fee44465a6afe34e068f2a64dea9fa324

SHA256
ee43869ee94eefe241d661101ff6a03cc276f8e558967b1b350ea088f1dad2e2

SHA512
1e5f99466b77b5a82c23449434272acf5746811ef96b98105f89b3339ccd86734d7713c94b773755219345d673a761a356fbe846a38e7893bd8894e43cf102e4

Download Submit
C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack

Filesize
3.2MB

MD5
dfaa6429468d56ef77932cf26a495f75

SHA1
8a21a29225640f1829ae328a24ef9cb5e215a4e0

SHA256
8c481a549acfa58b1bac0385906febe33a928d004a529fec505b6a9228678fed

SHA512
6c19ed573b111315648de0646441486729b304452c15b2282938460a2339db0be4e1eb19cf6f2bf17f73037811ca2553a15957ea96b9d9af64a93045407c1148

Download Submit
C:\Program Files (x86)\Java\jre7\lib\jsse.pack

Filesize
141KB

MD5
31b4d9c29d29567b0ae3037fac9fbdc6

SHA1
8b5d1b1a309177466d71a742414d441f600ea38e

SHA256
9f031f2f1292bb311c400b0a93a11b78a08f013332b1263ea58617b6548862eb

SHA512
b4a8a3a1e837f98a3164e19a6fe939819eb336892335de975822890b52b5923d85fee4c4e5464ccb0d46c847f37f7da98a839aadbf4d20fca355f396a53836c0

Download Submit
C:\Program Files (x86)\Java\jre7\lib\plugin.pack

Filesize
489KB

MD5
47d6cfa1b01a6d41885504bbc3b1919a

SHA1
3838060f9d530c972d65f36fa38b265120a218aa

SHA256
93defaaf7f82e2e9565b27dd31a41c89e02d1b7719d0da0b940a55dcc75b91e5

SHA512
b0df9b174624234aaeb2b50cf611f698377925a0ae5c5ee9da46c65fcecf4d28941d1bf2332316d9327981c1f8c6c4fecf750e013f04eef63f5df52d27593135

Download Submit
C:\Program Files (x86)\Java\jre7\lib\rt.pack

Filesize
13.1MB

MD5
b6d75e8c90c79af1579769f10b1e5c88

SHA1
146cb3f05fa161885e8faf079fa2bbd89b5c5b18

SHA256
82dc6806d9ec9eb16604f90a5c78d0d882b69a0e718d8f6c3c6b7c9719887b7e

SHA512
02cdd0c0d6e71bc09120db2cd3b9471c0176567d92bb74a08c13e82c1d23722eb4afac41583a11dee3fc531fd442754ee0f5cb964898ec036ddd432947996037

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17171f985f70ddec5b0a28d815aaee39

SHA1
11c9835f5f361bb14506af94724e2398934a1955

SHA256
2cc2d4a1b971df57b83bf8dd55a37d9217b76dcb55de60807c90591a42330ebe

SHA512
2732b759ebe5791d7e79e94fcaafcdcb207636d556922eac6138f9cac9c579e18ad98c304e157f08b1bb1f77251781d4b1df240ed029599ed3ff72932228dd5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
d3ec4267cb2f1bd30ec52ed612cefc84

SHA1
831dfa5d3a911ccba82bf964258f79055837bce0

SHA256
c972e49a8df6b9eaee83991b7ad9419dd62540c02241b7acd52f832651e28a16

SHA512
55a760ed122a7310581986cb32dfc03e12bcf606158f16a8f5b2f3e2bf7e58dba8da9ebff74cdbedd067248d69ff6e591b284dfbb7db47b152b87f881adf87df

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\Data1.cab

Filesize
24.6MB

MD5
003a488a2139105704566b47eb29520d

SHA1
52d672a592cd52ad5e2e7239421f2659e0d17afa

SHA256
a84262dd486cf59049d0d2d9a1b00dfb5aa5271592edd8de0e052f12496dec67

SHA512
ab34061f8e04bb1d59f1b35e0e1848a176f2b119095e79015130da3a4384c70fa35ecbe1625e07c0eb0de49c67bcdbba59f10fa1dfbbb2066dcb6ee6825215de

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi

Filesize
898KB

MD5
e24d9b483ce7a3a6a4406111883457f7

SHA1
0d5efff0d110c48f5e6f5d438967427f1e2dbf84

SHA256
dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c

SHA512
b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB8A5.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBA51.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
67f25f53f289227f2c126f16fdee4606

SHA1
2a2ff91097d74ce72a9916c1953ae19598b47a62

SHA256
ccf06d7a642d13d662b6c609228a9d7d0f0e8b8890235b97769f226b814e9d97

SHA512
8aadf8b90b73a5869021405e11583457c609c27df4cfb3f22a30b383220e78942d0d126b7d93595b7f65c62e3b8c5eae8c86c9799e060d39abfef2ec459e867f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
1KB

MD5
95d8622cb8d4e4dca8c561459e27f02b

SHA1
4dfc8ee2e95fd062db5d23649a54ed190ab46455

SHA256
b3a24f7d0f08b3a53ad2da21314aa6a16783144e7a69d687b81149211f379f4c

SHA512
65d666d4a98ac46d29ee101ea5b52ec972659e1e3ed0ae224d2f22a732135b054727c5d99e63787a3905ab41d6aa92ccfdef15161f8385246407befc5ab62a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
222aa93403e2a76154c8cdc34563bc6a

SHA1
8270bb68ee7f570e9c4770a4a74e56ce51d8de12

SHA256
5170c3162903088c0cbfa7d1b3c552f278edd803274b121817d162ffe95982b0

SHA512
c4ef02c88caa41b1a88c2620137f95f76964657de1b4fd4c719f86254f2a60b7ebbf934cc469fb868bebfa2c06b102c87cdb5c2dc408860aae438a999beb44bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
e4f663c3212b641fabdf0da60fe6931d

SHA1
caf912aefd58944585fc793758e94daddef2f640

SHA256
208d567c9808690cd213b531ae0cc4216dd89fd6a6f094c607da07ab299aec38

SHA512
b4deedd0f5d4df2c4228220d809016067ed5e45b2d07d6dcf7174d89f631355c668ad10cce4a690500213b40e7c886d18dc1534fce89abd3493eb6df64e0c70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
c155f9fbc28b351c63694b1a454a1df7

SHA1
319cbc47f723ed73ed8440e18eab44a7700d1f83

SHA256
6679afa2aecec86e2b1134d5496aca014d7a26049194b6dfd1d61d49f2f44be4

SHA512
939c36197fe800edaeee41c6475866eb037cb1dc2f438511a0a388250a9e6dfe9cbeebda18095c917ffc46fe7d5525d8a9cbe1c16e10ee4268857e198fd5a7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
511B

MD5
3019bfeb6ca21d834c5d32ee3a68d67a

SHA1
45848146ea08906bf1134c4abd022e8edaf0e64c

SHA256
216b04eeb7eb7b2d2e176555d7db8f871310f0f4ad41e59915919dad371f2338

SHA512
4c5ec5486bfc6ebae3306f3a54dbbd4bfd73f92e3a02a35379743884f1e80a8db8a358e13bcef68c35c3fcc4b233967f8051952f00cbad32a1414b64657c11ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
fb1712235d9c69f672919cb7697bfe61

SHA1
cf7a8a6cb4745255e61e397881c6ad076a2624bb

SHA256
a44eda36c579c95dbcad9ec6b887db7bc38ff6b73aa1172cfd86758302b96bef

SHA512
a48f0829c9f1a2400ad336290f124e2dc848ced56fe1f2289d485882521afa77d96ae79db570963aaddcc65d7c605522451486cc02312cfb12cc208f3c800540

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
faa8123df5a28e60bb4a7a3eacef3b5f

SHA1
f9830f0bd57306472df3ea66aa6eb126cc2eb41d

SHA256
ae6fbb8dc2f0f3bfae7101a42396bea208a532fbc1947feb1e83851f7b0398ad

SHA512
9706376947311efb30068bdce8df06aa755032ca194d45ab3eafe639efbbb0ee8b671aad7988b2e610320997f23cc3ba31789e6e5a6597b558e95dc1863169ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
193KB

MD5
6a86e8d216a77baa9084e18e231204a6

SHA1
6c1e488a58c0776519fb5eb4161d0f929aecb188

SHA256
49c96e06d4d875bd04d6dba41567347e0ca43f712b54dfcb240bbf8da12506d3

SHA512
6c4dddca4bcad858ff042a9f15da6226cf8c4a7c84215a1cba8b6625ef192d74451fb11a9ceb6c5a6450b71fec24c69d404505717c008c9009ca8e0a8a57c37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
193KB

MD5
5da1b3686b8239c4278b11288b0b441d

SHA1
fde3ebc5be1347693b9a66877f78d40929383ff8

SHA256
c2e1e432f32ceaef9be282ed1216275604f03a9fc514781161eaa89c32046f56

SHA512
a5a118bc340169f36c7b69a1d5e20b23be6132be6926664d67839357c40ac7a9337014a9aa570b72f3f3ce816a3b003915516effb764ac00f3959a75a9d05b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
194KB

MD5
a4a7a1bb494c3808f6c61b7a016b0e1b

SHA1
78c93a6cb226ae9fec29eb5727737b88457c09ad

SHA256
415da94b6e737947ad017a683a71fa1ab41229ae062f46e18ad8b427dc63b6b9

SHA512
9cf5f993f137024edfe2c35186beaffd891cfc8122d527a95cc42eb098026766ae35f2c53625f50b4821f54b055f21dbe99e6da3dc4c08ffa49419b58553be93

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
195KB

MD5
a256804cf7979b72a2e05766cdc6e6a4

SHA1
7318c80b4ff40c397a27cd2fce6c157bea503be6

SHA256
0ce92642049b8d6cd1925f5697eb4fd699594fc329d590fb482f9430a449c4a5

SHA512
8c8fd367f8e990ae1d291b66ae34efd76dc547e53d3e80b334ce00fc05a703c9a4316025426363106f614ecf64567bb98b918ab019ed084ba47e06f634c397f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
195KB

MD5
95b6db47d83e1c43fe0a6dfa89b6cf4c

SHA1
ce67c5f379dca2775815dba04875bee40dcc8c14

SHA256
c3fccdfe60a45a816f9389a8ed5678862bb151d10d58d5ed7275a7d0e3714388

SHA512
4c9df5f9d618bb0d6827ff187b0f7ba1bc7b17fb34635a84a37353837b5afc6c0c4ff0c913608edb6ec478c540d79084fe2aaa15f45628ab4a53938a223dbbe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
196KB

MD5
b0949b14d1ae9196d12eaccaa0b62107

SHA1
4acd9a8d1411037d73667808f243572d2239c436

SHA256
295f8c8bb8e6a16f72874ca3bffdf21b7f4050cdab3bdc1bf055f6a86ce3ea95

SHA512
b25bcaa9dcb3491a98c799d3281fc88988fec2d6a50c2c127c89a5fea789ec657ab3da53ce54b3f1dd40d33c7f415935bc57b101c23b07d7298864c9047cc906

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
196KB

MD5
5b2120b15b094ab218e799bfff61dc14

SHA1
e28431d7b6e4b553a5d1d16ec3b8f97e4c99e3e9

SHA256
890825362b7fc3c0d04d28220a0448db13ed45caf20fb07e24cad7cfc89b8af5

SHA512
9e7938223631f324d5b7729f0957a9369d864df6d1ef8075419c626b5873e81a39775cb6a2e1a08d8da66b3f444f2eb6699c6b9dee076fdb2a8feacc590eb49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
197KB

MD5
2b86d39053fc6e56bd766e03b26a52c0

SHA1
ef3dc18b0959019ac4501feb955921fb0053907f

SHA256
a0c4e58373a32071c13ea9d822f62773b50746a310cd371e425a2156963e0548

SHA512
b156b87ba767de35d4be1738eebd393fc584c2294f529834f20d63d5179c6b198925c68b94af63243bc667fd5f87792886af2225c1f3d7933e311b75ad1bc173

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

Filesize
4KB

MD5
b8fb107bd13db98220f268c8934f9966

SHA1
9ae449edd077dbe9fc765619a318359a03284b18

SHA256
54319cb0aa82dc67dffada8af6e5fdb235b0c27575f4c7ddfe7a6f834243d3eb

SHA512
af996421da8f6655c62693db73770777b981334e368c0a288b8e7ba5dc20577adc7605336cb0a1d65ae41f0e4cae09e572ccf657c9c35aed679b0ccf17e1941d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
602B

MD5
b839e251dabd87499a7b7adb2e0f7138

SHA1
9586549fd057eea195b23123a4a978a2c908977d

SHA256
07b873d86b17f179340b0c66dda7bbbe88d7dfd34e54f8a604323bcbd451e5f0

SHA512
5b9234c76387649dab686d772e30a255e9de78648d661cc2ab17c37dac1ed31700cdeed40796bc789b35fc333294ec747c8915df968249f83bbd6e241d9c53eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
890B

MD5
84c27ced6cc0251cd34714e71e48a140

SHA1
6e32ac3ed6f877e45a116f774b96918e930ba0ec

SHA256
0c87510669db441fb18ab701f020065edfb5701272555e7445a3a2698be815b6

SHA512
f1579dc5aebbe3ae6c87c89b0a5b444376c64515eaef2a719120f4c4cfeb930388fd97ff44f2dae65a59bf0e197fcd206d86765e5384045c8f65b9d1e7c15fc0

Download Submit
C:\Windows\Installer\MSIBD12.tmp

Filesize
202KB

MD5
9f84d910602183954bed6d9660600783

SHA1
82e3b122dc63e0a333bca531dd16667d5fafbf23

SHA256
bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e

SHA512
09fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9

Download Submit
C:\Windows\Installer\f76b80f.msi

Filesize
155KB

MD5
55d7e66e49c3994eb5e1004a5efd22b1

SHA1
aa8a045dc0c161e95804f76efe27f1f572072fa8

SHA256
0a833d92b4d4aa068b0cb256b87c0d3495c3cc4a021be86c072095fee467b379

SHA512
2492ca442c4f6aab1f085a54bbbc1a95b836f033f1c8748fa6c3873997a397020baedfc1f661d751afe30ade3ab14b66a676a4731696b6c90c5c3adfa6c2bd2b

Download Submit
\Program Files (x86)\Java\jre7\bin\java.dll

Filesize
117KB

MD5
a258a133f7d565600647a248ab95792c

SHA1
1c6a855ca1fc04413b906b0b17609eff38317161

SHA256
81ad5696a6fcad89127fc7a428636d431b446ff1ee0c37bf87e8d513a8bae7af

SHA512
bf9dd97947eb0c71243ae28255af54b06d9e17af7ade666538dd93f9fdf6d8fbc3855f48bfaf6522dbd9ce3c6cff655581f092709670606d033f2321b1f4a5e7

Download Submit
\Program Files (x86)\Java\jre7\bin\javaw.exe

Filesize
171KB

MD5
64e2bb67ea740860510dcc5c2b6ffa2d

SHA1
6c5996358264624cdb4a075acc4f0b46177cd259

SHA256
844ab2231f45fad60d81770ea36d9937da9aa72cd905ce06e7471ddf9d69263b

SHA512
ed24331883ada44d8b034f5c8bc458e53234109d5cd02a27989972033f5b3305d23365106ce80be81caa16e472c14c103e457a1e0d138eb0d95036e58d877462

Download Submit
\Program Files (x86)\Java\jre7\bin\jpishare.dll

Filesize
138KB

MD5
4cf2dff54d2e12e3ab637fcafa7d4c9d

SHA1
dcbd0a027b8017ac396741698dfc3b3f4d1b4c39

SHA256
8ff2bc130db2f1fef2e6470adb58bcdba1d2133f9ad21ebd7d80fedd3e537e21

SHA512
a206001ceaed2df91428f1b7094246e4e7318bf4e7b19c475d4887b5eae49714ff7fa3cfab4133004a51280cf36549b73eecc87428b0b38294297545e9493e67

Download Submit
\Program Files (x86)\Java\jre7\bin\unpack200.exe

Filesize
145KB

MD5
0d46182b6134aa9c7acd16133d67e4c3

SHA1
7b5be3d65e5e744723bf55a08f9dc1042585d5eb

SHA256
c89091f2a4de2fcf10b30e54a74ec5764e2dfc0577f4f1d879ac8816e3b08bcc

SHA512
735b6c6bd69b22a71c15ae44c6fa1693700321dc3b4b2367ce05d5c37df62e45d1d3836c2c0f5e44be1036aeb11a533c2a4dbec55163b4a15adfa1c8ef75673b

Download Submit
\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe

Filesize
28.1MB

MD5
f2fd417b6d5c7ffc501c7632cc811c3e

SHA1
305c1493fca53ab63ba1686c9afdfb65142e59d3

SHA256
a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9

SHA512
289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b

Download Submit
memory/308-1158-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/308-1104-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/308-1014-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/308-1013-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1084-1208-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1084-1206-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1712-1279-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1964-1244-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1964-1248-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2036-1159-0x00000000001F0000-0x000000000027C000-memory.dmp

Filesize
560KB

Download
memory/2036-0-0x00000000001F0000-0x000000000027C000-memory.dmp

Filesize
560KB

Download
memory/2036-80-0x00000000001F0000-0x000000000027C000-memory.dmp

Filesize
560KB

Download
memory/2036-38-0x00000000035A0000-0x000000000362C000-memory.dmp

Filesize
560KB

Download
memory/2036-88-0x00000000035A0000-0x000000000362C000-memory.dmp

Filesize
560KB

Download
memory/2036-1286-0x00000000001F0000-0x000000000027C000-memory.dmp

Filesize
560KB

Download
memory/2620-41-0x00000000001F0000-0x000000000027C000-memory.dmp

Filesize
560KB

Download
memory/2620-81-0x00000000001F0000-0x000000000027C000-memory.dmp

Filesize
560KB

Download
memory/2760-992-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2760-970-0x0000000039E00000-0x0000000039E10000-memory.dmp

Filesize
64KB

Download
memory/2764-946-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2876-1148-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download