139ee6fc065e526efac3cf24d50d0d95c78e1a10ff2cf40839cd4756fff43e71

Analysis

max time kernel
142s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe
Size

206KB
MD5

965abae8ef3e9859e0e473c5f3cffccf
SHA1

6fb809712f1aa97ad226186702c6cc9528144b44
SHA256

139ee6fc065e526efac3cf24d50d0d95c78e1a10ff2cf40839cd4756fff43e71
SHA512

3c040033cf886f1f272d2ba02c6bf2b1e294a8d7dd25286e201c43b4ac9ee7f3e78ee2e8c9c5a340c6a93711258936d23e0391aa62fb2536a58e973fb9e69262
SSDEEP

6144:q8+9tCJQBqCYaM+QcEdNc4fdem9UJNh+ytHFoSyG0:sf2aM+Qcn4V/8NhnpFoSyn

Score

8^/10

adware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe

Executes dropped EXE 17 IoCs

pid	Process
3952	41javaSetup.exe
4856	unpack200.exe
2368	unpack200.exe
1832	unpack200.exe
3848	unpack200.exe
3636	unpack200.exe
2204	unpack200.exe
2756	unpack200.exe
5116	unpack200.exe
3008	javaw.exe
2960	javaws.exe
1948	javaw.exe
3856	jp2launcher.exe
3796	javaw.exe
4148	javaw.exe
4260	javaw.exe
4876	javaw.exe

Loads dropped DLL 55 IoCs

pid	Process
4276	MsiExec.exe
4076	MsiExec.exe
4856	unpack200.exe
2368	unpack200.exe
1832	unpack200.exe
3848	unpack200.exe
3636	unpack200.exe
2204	unpack200.exe
2756	unpack200.exe
5116	unpack200.exe
3008	javaw.exe
3008	javaw.exe
3008	javaw.exe
3008	javaw.exe
3008	javaw.exe
4076	MsiExec.exe
4076	MsiExec.exe
4076	MsiExec.exe
4076	MsiExec.exe
2960	javaws.exe
1948	javaw.exe
1948	javaw.exe
1948	javaw.exe
1948	javaw.exe
1948	javaw.exe
3856	jp2launcher.exe
3856	jp2launcher.exe
3856	jp2launcher.exe
3856	jp2launcher.exe
3856	jp2launcher.exe
3856	jp2launcher.exe
3856	jp2launcher.exe
3856	jp2launcher.exe
3856	jp2launcher.exe
3856	jp2launcher.exe
3796	javaw.exe
3796	javaw.exe
3796	javaw.exe
3796	javaw.exe
3796	javaw.exe
4148	javaw.exe
4148	javaw.exe
4148	javaw.exe
4148	javaw.exe
4148	javaw.exe
4260	javaw.exe
4260	javaw.exe
4260	javaw.exe
4260	javaw.exe
4260	javaw.exe
4876	javaw.exe
4876	javaw.exe
4876	javaw.exe
4876	javaw.exe
4876	javaw.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2064-0-0x0000000000370000-0x00000000003FC000-memory.dmp	upx
behavioral2/memory/1380-77-0x0000000000370000-0x00000000003FC000-memory.dmp	upx
behavioral2/memory/2064-76-0x0000000000370000-0x00000000003FC000-memory.dmp	upx
behavioral2/memory/2064-1618-0x0000000000370000-0x00000000003FC000-memory.dmp	upx
behavioral2/memory/2064-1752-0x0000000000370000-0x00000000003FC000-memory.dmp	upx

Blocklisted process makes network request 1 IoCs

flow	pid	Process
50	1336	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	MsiExec.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\javaw.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	MsiExec.exe
File created	C:\Windows\SysWOW64\javaws.exe	MsiExec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Riyadh87	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+2	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\LICENSE	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Nome	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Paris	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Colombo	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Oslo	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Almaty	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Sakhalin	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Edmonton	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Guayaquil	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Omsk	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Apia	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\charsets.pack	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\St_Johns	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\La_Paz	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Antarctica\Palmer	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Urumqi	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\security\java.security	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Tashkent	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\London	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\MET	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Puerto_Rico	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Gaza	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Anchorage	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Yakutat	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Karachi	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jpinscp.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\management\management.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Cairo	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Catamarca	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Chita	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Tahiti	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\JdbcOdbc.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Riga	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Bougainville	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Winnipeg	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Andorra	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Monterrey	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Sydney	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Prague	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\j2pcsc.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Vincennes	MsiExec.exe
File created	C:\PROGRA~2\Zona\License_en.rtf	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\San_Juan	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\core.zip	msiexec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Kuching	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Halifax	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Ashgabat	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\jvm.hprof.txt	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Nairobi	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Mendoza	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Fortaleza	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Novosibirsk	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Darwin	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jp2iexp.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\policytool.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Galapagos	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Guam	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Wallis	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Juneau	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Jakarta	MsiExec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57c2a4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F03217080FF}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC62F.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c2a8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC8D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c2a4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "49792596"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0050-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_10"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_93"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_04"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_27"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_41"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_38"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_56"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_46"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_91"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_05"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_10"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_66"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_30"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_53"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_47"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_38"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_73"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_38"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_64"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0082-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_04"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_01"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0034-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_32"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_54"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_03"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBA}	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3856	jp2launcher.exe
3856	jp2launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4816	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4816	msiexec.exe
Token: SeSecurityPrivilege	1336	msiexec.exe
Token: SeCreateTokenPrivilege	4816	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4816	msiexec.exe
Token: SeLockMemoryPrivilege	4816	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4816	msiexec.exe
Token: SeMachineAccountPrivilege	4816	msiexec.exe
Token: SeTcbPrivilege	4816	msiexec.exe
Token: SeSecurityPrivilege	4816	msiexec.exe
Token: SeTakeOwnershipPrivilege	4816	msiexec.exe
Token: SeLoadDriverPrivilege	4816	msiexec.exe
Token: SeSystemProfilePrivilege	4816	msiexec.exe
Token: SeSystemtimePrivilege	4816	msiexec.exe
Token: SeProfSingleProcessPrivilege	4816	msiexec.exe
Token: SeIncBasePriorityPrivilege	4816	msiexec.exe
Token: SeCreatePagefilePrivilege	4816	msiexec.exe
Token: SeCreatePermanentPrivilege	4816	msiexec.exe
Token: SeBackupPrivilege	4816	msiexec.exe
Token: SeRestorePrivilege	4816	msiexec.exe
Token: SeShutdownPrivilege	4816	msiexec.exe
Token: SeDebugPrivilege	4816	msiexec.exe
Token: SeAuditPrivilege	4816	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4816	msiexec.exe
Token: SeChangeNotifyPrivilege	4816	msiexec.exe
Token: SeRemoteShutdownPrivilege	4816	msiexec.exe
Token: SeUndockPrivilege	4816	msiexec.exe
Token: SeSyncAgentPrivilege	4816	msiexec.exe
Token: SeEnableDelegationPrivilege	4816	msiexec.exe
Token: SeManageVolumePrivilege	4816	msiexec.exe
Token: SeImpersonatePrivilege	4816	msiexec.exe
Token: SeCreateGlobalPrivilege	4816	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe
Token: SeRestorePrivilege	1336	msiexec.exe
Token: SeTakeOwnershipPrivilege	1336	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3856	jp2launcher.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2216	2064	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	83
PID 2064 wrote to memory of 2216	2064	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	83
PID 2064 wrote to memory of 2216	2064	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	83
PID 2064 wrote to memory of 1380	2064	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	86
PID 2064 wrote to memory of 1380	2064	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	86
PID 2064 wrote to memory of 1380	2064	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	86
PID 1380 wrote to memory of 3952	1380	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	98
PID 1380 wrote to memory of 3952	1380	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	98
PID 1380 wrote to memory of 3952	1380	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	98
PID 3952 wrote to memory of 4816	3952	41javaSetup.exe	99
PID 3952 wrote to memory of 4816	3952	41javaSetup.exe	99
PID 3952 wrote to memory of 4816	3952	41javaSetup.exe	99
PID 1336 wrote to memory of 4276	1336	msiexec.exe	101
PID 1336 wrote to memory of 4276	1336	msiexec.exe	101
PID 1336 wrote to memory of 4276	1336	msiexec.exe	101
PID 1336 wrote to memory of 4076	1336	msiexec.exe	102
PID 1336 wrote to memory of 4076	1336	msiexec.exe	102
PID 1336 wrote to memory of 4076	1336	msiexec.exe	102
PID 4076 wrote to memory of 4856	4076	MsiExec.exe	103
PID 4076 wrote to memory of 4856	4076	MsiExec.exe	103
PID 4076 wrote to memory of 4856	4076	MsiExec.exe	103
PID 4076 wrote to memory of 2368	4076	MsiExec.exe	104
PID 4076 wrote to memory of 2368	4076	MsiExec.exe	104
PID 4076 wrote to memory of 2368	4076	MsiExec.exe	104
PID 4076 wrote to memory of 1832	4076	MsiExec.exe	105
PID 4076 wrote to memory of 1832	4076	MsiExec.exe	105
PID 4076 wrote to memory of 1832	4076	MsiExec.exe	105
PID 4076 wrote to memory of 3848	4076	MsiExec.exe	106
PID 4076 wrote to memory of 3848	4076	MsiExec.exe	106
PID 4076 wrote to memory of 3848	4076	MsiExec.exe	106
PID 4076 wrote to memory of 3636	4076	MsiExec.exe	107
PID 4076 wrote to memory of 3636	4076	MsiExec.exe	107
PID 4076 wrote to memory of 3636	4076	MsiExec.exe	107
PID 4076 wrote to memory of 2204	4076	MsiExec.exe	108
PID 4076 wrote to memory of 2204	4076	MsiExec.exe	108
PID 4076 wrote to memory of 2204	4076	MsiExec.exe	108
PID 4076 wrote to memory of 2756	4076	MsiExec.exe	109
PID 4076 wrote to memory of 2756	4076	MsiExec.exe	109
PID 4076 wrote to memory of 2756	4076	MsiExec.exe	109
PID 4076 wrote to memory of 5116	4076	MsiExec.exe	110
PID 4076 wrote to memory of 5116	4076	MsiExec.exe	110
PID 4076 wrote to memory of 5116	4076	MsiExec.exe	110
PID 4076 wrote to memory of 3008	4076	MsiExec.exe	111
PID 4076 wrote to memory of 3008	4076	MsiExec.exe	111
PID 4076 wrote to memory of 3008	4076	MsiExec.exe	111
PID 2960 wrote to memory of 1948	2960	javaws.exe	114
PID 2960 wrote to memory of 1948	2960	javaws.exe	114
PID 2960 wrote to memory of 1948	2960	javaws.exe	114
PID 2960 wrote to memory of 3856	2960	javaws.exe	115
PID 2960 wrote to memory of 3856	2960	javaws.exe	115
PID 2960 wrote to memory of 3856	2960	javaws.exe	115
PID 2064 wrote to memory of 3796	2064	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	116
PID 2064 wrote to memory of 3796	2064	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	116
PID 2064 wrote to memory of 3796	2064	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	116
PID 1380 wrote to memory of 4148	1380	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	118
PID 1380 wrote to memory of 4148	1380	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	118
PID 1380 wrote to memory of 4148	1380	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	118
PID 1380 wrote to memory of 4260	1380	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	119
PID 1380 wrote to memory of 4260	1380	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	119
PID 1380 wrote to memory of 4260	1380	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	119
PID 2064 wrote to memory of 4876	2064	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	120
PID 2064 wrote to memory of 4876	2064	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	120
PID 2064 wrote to memory of 4876	2064	965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe	120

C:\Users\Admin\AppData\Local\Temp\965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:2216
- C:\Users\Admin\AppData\Local\Temp\965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\965abae8ef3e9859e0e473c5f3cffccf_JaffaCakes118.exe" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe
    "C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4816
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Roaming\Zona\tmp\18467Zona.7z" "C:\PROGRA~2\Zona" "C:\Users\Admin\AppData\Local\Temp\zonaErr_core_-449572260.log"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4148
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Roaming\Zona\tmp\6334appdata.7z" "C:\Users\Admin\AppData\Roaming\Zona" "C:\Users\Admin\AppData\Local\Temp\zonaErr_plugin_-449571104.log"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4260
- C:\Program Files (x86)\Java\jre7\bin\javaw.exe
  "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3796
- C:\Program Files (x86)\Java\jre7\bin\javaw.exe
  "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4876

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3719BBCFF697BF6F786CD1982B07F462
  2⤵
  - Loads dropped DLL
  PID:4276
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 76D8C97635F44D5A5251D0BCCC989592 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4856
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2368
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1832
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3848
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3636
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2204
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2756
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5116
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3008
- - C:\Program Files (x86)\Java\jre7\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
      "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1948
  - - C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c2a7.rbs

Filesize
10KB

MD5
176405bbcf6fba2776e67e760f8777b2

SHA1
630b180ff7456626c878e7902b2aa2ebf87aa4b2

SHA256
42c3b48d2edd5e3b47fd183af6bca0b3d10b581561d5d1601f3bbadd131ca0f4

SHA512
307f44dc7b2b9ecf61f817d466cb8b60706e3b8ec363f6f64af6ca1f714d764e8b11a7689a0de4ae05cdeedb20ddb0b8db6feffde959de336148e0a391c679b2

Download Submit
C:\Program Files (x86)\Java\jre7\bin\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Java\jre7\bin\WindowsAccessBridge-32.dll

Filesize
95KB

MD5
1722510af00ea3c7406681b47bf442f7

SHA1
cafac266d52d78d3743c31ebef22a894781e0de5

SHA256
4010a3ec604a327861bedf01626c12eaded9d381b6e4f0e6f760895838834a21

SHA512
31a2ce3d5eb9828cbb82d2a7e29f2c5bf46528d38f25827329512cedde37bd03b3cfdba0aba3320b6c0e7779588958e83bff735f6059aad37172598e70e863eb

Download Submit
C:\Program Files (x86)\Java\jre7\bin\client\jvm.dll

Filesize
3.4MB

MD5
27147e1e3faf9b5ccda882cd96f2a85c

SHA1
7103f60121727917f812bfc7cdff5347fc17cc8e

SHA256
500d359211ece211cf672de328345876f016fb4a476b2a03cbc3b8b89023ae1f

SHA512
0866c604911e243687e7fe721142eb882b19691c902736b59ba304933463d8c9154ecc319b91c9771cee8139e151cc2a2e960bc7a93ed97352cf5232a0964194

Download Submit
C:\Program Files (x86)\Java\jre7\bin\deploy.dll

Filesize
371KB

MD5
87ec9d4a00d34eb6a0f8f92e1d1cc08e

SHA1
bee4ecae201905096dd44d1d348ecb3556d90832

SHA256
352707a271a9ab5d0e190a539b6468d6c6c5ce9675b300acf2305aa1f30625d8

SHA512
5b7f9866168ad7948a5a80078b14ff747201d17922ca907072a081e0078f6ac68446ddd36b027b4a17f5afa7d1bb4962642cff28cf66867171ebb78735f242d2

Download Submit
C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll

Filesize
864KB

MD5
bc3a575dfb1a58d35e8617f2966bf1ea

SHA1
6353630f62e246d7f462134e8d10a7a42935e20f

SHA256
c029fd3c6ffd2158d0633fc122786838a6f5d3cc7ef78bbe934697015c8c63dd

SHA512
c976da30d343f8e104bec72300dc0c17e582e380f0a3ae85b242dbf2d5b40459feb4a3b7789fb8d755b21cbaa0940038d20dbbf1296a48e77b461092abbbe514

Download Submit
C:\Program Files (x86)\Java\jre7\bin\java.dll

Filesize
117KB

MD5
a258a133f7d565600647a248ab95792c

SHA1
1c6a855ca1fc04413b906b0b17609eff38317161

SHA256
81ad5696a6fcad89127fc7a428636d431b446ff1ee0c37bf87e8d513a8bae7af

SHA512
bf9dd97947eb0c71243ae28255af54b06d9e17af7ade666538dd93f9fdf6d8fbc3855f48bfaf6522dbd9ce3c6cff655581f092709670606d033f2321b1f4a5e7

Download Submit
C:\Program Files (x86)\Java\jre7\bin\java.exe

Filesize
171KB

MD5
88651044108e995f9801e35d2582491c

SHA1
abbf404c0253d085223a64ab947e1057c4211c9c

SHA256
c7fd72a0730b377c6da5ac80cdaf5f4cca84cc999a563a4c420fe5a8576810f8

SHA512
486b1d7ad7c3debcb8d70f9351adb08c8321c4cfb409a00ff818be1dacdc376a0eded630ccdc74aa99cc472589b88c9681989076fd78eb109759d33e7bf70543

Download Submit
C:\Program Files (x86)\Java\jre7\bin\javaw.exe

Filesize
171KB

MD5
64e2bb67ea740860510dcc5c2b6ffa2d

SHA1
6c5996358264624cdb4a075acc4f0b46177cd259

SHA256
844ab2231f45fad60d81770ea36d9937da9aa72cd905ce06e7471ddf9d69263b

SHA512
ed24331883ada44d8b034f5c8bc458e53234109d5cd02a27989972033f5b3305d23365106ce80be81caa16e472c14c103e457a1e0d138eb0d95036e58d877462

Download Submit
C:\Program Files (x86)\Java\jre7\bin\javaws.exe

Filesize
266KB

MD5
2b4493bb1f94580c41def972ea9a887e

SHA1
880ca8b20c6df9a6a176b91cc50304cb0fe66d06

SHA256
841339373958786d9c93a7dad5de8fd213ed6b5ad69623f5a5762a453c48e0a5

SHA512
b43e54f2c1f3e0a3c3d2fcee518e47d17476bb735606351e41b49e97e10af758ea9a539ac370a2d12cffa93e3e752e829db969968664c59386f65b732c29e40e

Download Submit
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

Filesize
145KB

MD5
0d46182b6134aa9c7acd16133d67e4c3

SHA1
7b5be3d65e5e744723bf55a08f9dc1042585d5eb

SHA256
c89091f2a4de2fcf10b30e54a74ec5764e2dfc0577f4f1d879ac8816e3b08bcc

SHA512
735b6c6bd69b22a71c15ae44c6fa1693700321dc3b4b2367ce05d5c37df62e45d1d3836c2c0f5e44be1036aeb11a533c2a4dbec55163b4a15adfa1c8ef75673b

Download Submit
C:\Program Files (x86)\Java\jre7\bin\verify.dll

Filesize
38KB

MD5
cb89b1d71061f5ec52468528ecc0b1fc

SHA1
6feb23a8b5719c8997de92c7da644807fcba8819

SHA256
87d8d59972e73700507c07cee8750b0053c6a0899410338722a00c2803d39ee6

SHA512
2ff0ed38c7f28eb7ea16f24a0841dfb3306c4fec48ded5fddec8c3140f1a425433a444fe6b6cc4c17b3a39841c8ab0c23d7c9525c119c1b9d6daac2c17a4e4b0

Download Submit
C:\Program Files (x86)\Java\jre7\bin\wsdetect.dll

Filesize
159KB

MD5
958bc8d82e4d0a5b51536bb4fc4fb6d6

SHA1
626312fa01c72ec5c85c9262ba0ae97a8b1f5b25

SHA256
2ef891881d506084ed182a0ac58b10dbe8c45877ef889ac9105f19431beee4ca

SHA512
fe17b58e3eed817619bebf6d091aee99fdc331c9c5a4163e9f5993b41b2e7362365da210e0636755ada6b8838012de1bc5435b8670aa12f378a3c9e3a9f5af04

Download Submit
C:\Program Files (x86)\Java\jre7\bin\zip.dll

Filesize
66KB

MD5
1ecf056944068b933ba71cda3edc4a68

SHA1
2052b2138db0d9a368942470b41bb6fc5b1d4007

SHA256
35ce7ab154a38e97951714e17f7689873d89e8c01188de6e5cd741bc0ca3e384

SHA512
cadf312841d392a9970cc068b72063e17454d5e6738b46ec9622257d9dfc0bcad0d9420352752bf7d8f8e8ceaf6aca97d83896f753dc12cfeac3e5efb5e1ab05

Download Submit
C:\Program Files (x86)\Java\jre7\lib\charsets.pack

Filesize
1.3MB

MD5
549bbcd204914b543dafee670f110834

SHA1
012461935191a55482e8c3d453d245e965a10a2a

SHA256
8ea5af036ec067a0abcf87b8f5921e2281ff9d259e1d4c3bbe7fa9037cd87d02

SHA512
b0346a2ec52ce47351286f27f347f5fea99e160aedde52bcf74e1629739704bd975c9c99d8db6be3b6bd45e7fa933616fa081eda49e9b911efcc031c7241400e

Download Submit
C:\Program Files (x86)\Java\jre7\lib\deploy.pack

Filesize
1.7MB

MD5
b2a448112b7c886ccce9b6a3d5efd8a0

SHA1
660bc9efe960015b208a421b1a63443e7151024f

SHA256
928f6b847f94b920c462a08c43f0dfd3f7c40076b1cd60545523a5c27a4870ca

SHA512
871da63f4eaf16d77ba6c19c10d8ddd8e94f744c20a70e24793f837023d20e56698d85f67498bc06ec37b73a8f376c220afbe7f3884b00536b710ff49c339b3f

Download Submit
C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack

Filesize
736KB

MD5
c8dc1cfeaf0fefc39ed0f1de4eaa175c

SHA1
11cacbb9e5724d37789455de37a225d8e0c648a1

SHA256
da2803a283d28882182e1e280b4f25ee1579a5805e73fcc9882e63968f102a8f

SHA512
6b419ba94ae90f8caa3a57690f2ec7e249c9fb8ab86819439621cde1243c7636ee76820622ce32ed483ce76976f7ced74778898fc2725b1a2407b039fb53508c

Download Submit
C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg

Filesize
686B

MD5
5147cce789cd18ad6b2996eb89e5d866

SHA1
756f1fffe96ef581f0d4d47253523544c89a2622

SHA256
c471d622198461715f245d478484fc7c8de533313c56e922931a875460a5aa88

SHA512
55f53adb70b1cf741cdf0dee74d92d2bf4c96954a760afae289972a0ea9bb27bc5eb4df1bd41829c7c484211fcb294fe296a4d560d8a1cdbb8c707b3bf2a79a6

Download Submit
C:\Program Files (x86)\Java\jre7\lib\images\cursors\invalid32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Program Files (x86)\Java\jre7\lib\javaws.pack

Filesize
205KB

MD5
491bce42c6cd8af88a2e11f37711ed4f

SHA1
3de7c18fee44465a6afe34e068f2a64dea9fa324

SHA256
ee43869ee94eefe241d661101ff6a03cc276f8e558967b1b350ea088f1dad2e2

SHA512
1e5f99466b77b5a82c23449434272acf5746811ef96b98105f89b3339ccd86734d7713c94b773755219345d673a761a356fbe846a38e7893bd8894e43cf102e4

Download Submit
C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack

Filesize
3.2MB

MD5
dfaa6429468d56ef77932cf26a495f75

SHA1
8a21a29225640f1829ae328a24ef9cb5e215a4e0

SHA256
8c481a549acfa58b1bac0385906febe33a928d004a529fec505b6a9228678fed

SHA512
6c19ed573b111315648de0646441486729b304452c15b2282938460a2339db0be4e1eb19cf6f2bf17f73037811ca2553a15957ea96b9d9af64a93045407c1148

Download Submit
C:\Program Files (x86)\Java\jre7\lib\jsse.pack

Filesize
141KB

MD5
31b4d9c29d29567b0ae3037fac9fbdc6

SHA1
8b5d1b1a309177466d71a742414d441f600ea38e

SHA256
9f031f2f1292bb311c400b0a93a11b78a08f013332b1263ea58617b6548862eb

SHA512
b4a8a3a1e837f98a3164e19a6fe939819eb336892335de975822890b52b5923d85fee4c4e5464ccb0d46c847f37f7da98a839aadbf4d20fca355f396a53836c0

Download Submit
C:\Program Files (x86)\Java\jre7\lib\plugin.pack

Filesize
489KB

MD5
47d6cfa1b01a6d41885504bbc3b1919a

SHA1
3838060f9d530c972d65f36fa38b265120a218aa

SHA256
93defaaf7f82e2e9565b27dd31a41c89e02d1b7719d0da0b940a55dcc75b91e5

SHA512
b0df9b174624234aaeb2b50cf611f698377925a0ae5c5ee9da46c65fcecf4d28941d1bf2332316d9327981c1f8c6c4fecf750e013f04eef63f5df52d27593135

Download Submit
C:\Program Files (x86)\Java\jre7\lib\rt.pack

Filesize
13.1MB

MD5
b6d75e8c90c79af1579769f10b1e5c88

SHA1
146cb3f05fa161885e8faf079fa2bbd89b5c5b18

SHA256
82dc6806d9ec9eb16604f90a5c78d0d882b69a0e718d8f6c3c6b7c9719887b7e

SHA512
02cdd0c0d6e71bc09120db2cd3b9471c0176567d92bb74a08c13e82c1d23722eb4afac41583a11dee3fc531fd442754ee0f5cb964898ec036ddd432947996037

Download Submit
C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT

Filesize
27B

MD5
7da9aa0de33b521b3399a4ffd4078bdb

SHA1
f188a712f77103d544d4acf91d13dbc664c67034

SHA256
0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d

SHA512
9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6

Download Submit
C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+5

Filesize
27B

MD5
a2abe32f03e019dbd5c21e71cc0f0db9

SHA1
25b042eb931fff4e815adcc2ddce3636debf0ae1

SHA256
27ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78

SHA512
197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2

Download Submit
C:\Program Files (x86)\Java\jre7\lib\zi\HST

Filesize
27B

MD5
715dc3fcec7a4b845347b628caf46c84

SHA1
1b194cdd0a0dc5560680c33f19fc2e7c09523cd1

SHA256
3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08

SHA512
72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662

Download Submit
C:\Program Files (x86)\Java\jre7\lib\zi\MST

Filesize
27B

MD5
11f8e73ad57571383afa5eaf6bc0456a

SHA1
65a736dddd8e9a3f1dd6fbe999b188910b5f7931

SHA256
0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e

SHA512
578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
ac5eea007f6ea653bc6d9a7564e68f87

SHA1
fdaed9240b0e50881a9061dda2a66320b2ae7cc6

SHA256
b53456c5ae5198ce3dcb3b2728eb7d57087612456ff61e5d83bcd12ccecb366e

SHA512
145db4982d1063da2f7c819b76918fabcb8e34135c93b2c4b0c16da228e577bcc71c2a361b22af15d38c87c841589a8acd94484e73de03946a673c8433636ea3

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\Data1.cab

Filesize
24.6MB

MD5
003a488a2139105704566b47eb29520d

SHA1
52d672a592cd52ad5e2e7239421f2659e0d17afa

SHA256
a84262dd486cf59049d0d2d9a1b00dfb5aa5271592edd8de0e052f12496dec67

SHA512
ab34061f8e04bb1d59f1b35e0e1848a176f2b119095e79015130da3a4384c70fa35ecbe1625e07c0eb0de49c67bcdbba59f10fa1dfbbb2066dcb6ee6825215de

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi

Filesize
898KB

MD5
e24d9b483ce7a3a6a4406111883457f7

SHA1
0d5efff0d110c48f5e6f5d438967427f1e2dbf84

SHA256
dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c

SHA512
b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
36aad274eb7cd69d2436f43e96be44db

SHA1
3dafde9d25157fb4a052448ef37bdfb8251e5ff5

SHA256
72e133eaa3ffcd136dca11af8a1c6612866539d14f89bb78edc6e54da81e2730

SHA512
17cae82ff93c8e211b1d869f99ab2f1efcc4678755be7c137e09537e36f3216faeb9081767aa5f027aa04a905bbdf818222cce7fe213e626aaf69087701f100a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
a3a56a015c798229181d40f868a9da24

SHA1
d2d02869eb654c5b16291d53e5f68a9947f40d6a

SHA256
9f3808a9541a9b2cc683b4f072d5602f2891045d67b95a2d347ecda1949ede22

SHA512
fa46c2a426df339a4a7c699fcd639769c6d5c74d72b8fb78da0ca29b3ebe28754dadb15ac20394d869402deddcc1f59f5f93ed4b482d829b9ea23d081770c1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
1fd3b3deaf9d5e3a6fa8ede9d24d7848

SHA1
22b811fe6996e4c89910c0665f7548474abac773

SHA256
b749ceaa0220ae70900a6e8a44555348b527f56e8b0937e55b4c42b95f90cdd1

SHA512
5ced5b74be9ecc41822d09f44e8a79590a2648bbf847aaf0dbfc7ed41eaee7fdd735454f2c53036f74d8ec962211f047d4fa15fcd91f94fe8fbce26c6f65aabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
1KB

MD5
261142a8ba93f80ca84647137c4942ca

SHA1
f49ce4d2c8985f477b0a7ee5e17ec5fd4b4a3291

SHA256
2c008372c92bcaf3c47ddefc1282c7f094a879128524968c4aba521e3bb66db1

SHA512
4d31829684eda3278c51dba1a626841a7b3f57749db34f7cd5ece4dd9cc9dd655cda9f4d1233a077f577538f1eb02a2a23a783ddd1e259d915fbc22f8b3727af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
77b375972abc487ca91165274d5afda1

SHA1
c783602aa93bfd4161bf7c0b0d984f2ca0834d23

SHA256
dcf1ce7539d7654206640179b4f786699bfe536fd823747c440691b84af8c9a2

SHA512
43f62e09be4fa72ac73918d6174a4639f2b05c762762ebd8f3416fdcdbd2e1f89e168efdd2dc3521c0026c1843af074ec37879d633dbcf662224d2de80a7c876

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
22KB

MD5
525bf7f5b63ffd5e86fa3aee92551c21

SHA1
bf3cd939fe57f5076afbd231cb5b1b0ea03ba5d0

SHA256
e0e88bda4bcbbcfadb1009060372744f8b3f3628ae29b1d310a99255ec76aa7a

SHA512
825d048f8a3eb7ec88bda27eaf34b5c05a9545a12d48d29fc264aeae571fb2b4aa2957cd1b5459d53dc5d18b7968760d47136a6ec099c5612c3a7ab677b24d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
23KB

MD5
18f48d6714640435ab93cad409e10070

SHA1
fd33c178274fb08adb77cf5c695ce29ba32417bd

SHA256
f7468e1cf9cb05006bb7eebf4ce106f98828351ac7d8637486794ba90e5f5bc2

SHA512
632e4957e610ab787ed9a2cf3e8d988acb16e4cfc4d4df9b52682ca54fa4f7fed980b7b5dd69b1c4dd71554894ee5e5199da630b721f3c7403652f923a16dcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
23KB

MD5
a2623660c345873243bb8f88145663b5

SHA1
d8cabac7b4057649bb6ca31504719fb0881c7190

SHA256
3532daff57c2b70280ef79edf17af55d108b2d46b88bdbf248fab74db2a43d14

SHA512
60dc96479ae28a9011dee7a2e8ff2cb60ab548a6164ba8f5562fcd1cb154362677a68c98c62aa62333ac9812d4ddb3e332957efdbc5acfb5eade18f111c21f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
25KB

MD5
d2c611a13ec2cd37d228aad0305dc734

SHA1
b7d5dd93fb333c96f9d0c516fc862a1f6dc31ae8

SHA256
648dac2d3607a22d24056d6d29f1e43343c0e812faffa92a381f627cc42789d4

SHA512
5e73bcfaf14e4a45068a74623e9ed39276844efc6269604ea231f1457c5837605e34ebc7fbf106156b0d653c3a0ce90bf0817d09a44a7b268718747506da70d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
26KB

MD5
6395ef19c45e81bddd74837a1394acb5

SHA1
92a97d8fa5c76891d0df4b4d9812370ee85859b9

SHA256
a0da062ab80c0dc8d84f51bd76faf53001cd4b48bcbc0ddae6d75e210ea92ccb

SHA512
5bb7439566d386aa46774e71378284fff75855f2b5971345d54e5142a23a9488a49b1de2a9533d37cb3f33c8d50cc64727daac7c96ca6dd3779144379a068fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
26KB

MD5
cc147c8509b89de26462cd73e51d3df4

SHA1
b37e85f40a18c1832530a760b309799378f7f6a9

SHA256
2f0f162f348b4020566418fd30c090fac83883284dde7c163b923f68d0886c69

SHA512
b8ef88fc7c91371605dc12a6fae41fa576836ad7eecbf728cd78ab5de9b235c221d5f43d2e9f9adc234f6ae5c3e823dd1b213aaa0340aa8d341015ad393a3e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

Filesize
2KB

MD5
f8494f1793c2781ff2473084d541ecb9

SHA1
235bf7d9af309fd7ca2d181ee42c01d041492a2c

SHA256
464a19e3f00f1ae1374a8107b2425819541cb19caf4bb252b2be43677326286b

SHA512
55d07939940ba52f6130051ab896597bcef358476042c0dd06a887355a6355af00f55b55097ddfb3453fd8a40e4dc4719eb989a71138476e103e911d331bf94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

Filesize
3KB

MD5
a571a80e3e7f07d8d5318528ffcf057f

SHA1
e3ec23f4b500ff697f327a186c6b7a1d0203d242

SHA256
9bf99654183263090ac650e9f691e074a0de278848a0b618df2c074d9fac23e7

SHA512
70db57b8e9aafeaf7fb4e7c7bc4a7b91297b3e5ed7dbe683c63c8191bd98c0a92457d92ee4ee379eca4935c85362cbbfb1bc9fa4a00cc010afec40752d641be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
295KB

MD5
5c61ec03c696f439f1133389fbfc71d9

SHA1
984b90e9a990e1cd7dfd5ce36a5eec9392ae5250

SHA256
360f16ff98d595266c62e566eb6582a6e8ed36537de0f6d8d8bb78008c9c504d

SHA512
4f2cd3c30eaa0d1ccc406be95d5bdfc401829902ecd0a7678d8ef21f802fe55b2910369510602e67169ac9b5033d7da7bea87ab27a20e135d0b6c2af15dcc190

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
296KB

MD5
c637f82d4ea1eebcad6de4764cb7e5d6

SHA1
b1e84521046e26adbd8b50effacfeb6e084766c8

SHA256
3bb994a8d83cc89eb5b9700eeecd3e4f643a1617020e2e8ddfb70d45d83e9667

SHA512
f91da30b101a99f5d2cfe1ada15f28b675d89eed7b0e753d695143730dac256f3b00d0cb41483a201ad285748cd640d0589d8cea7dad8614e79afefcdca6dbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
295KB

MD5
c5c88a9fbd98c48c6e997e930d45c5ac

SHA1
eb10e50219a79189c1a2d090853990a571f8a36c

SHA256
b44c0b0050f73a43a54a6e0d24e41c0843fd36c5e836997cf0f05405b72221a7

SHA512
1654c5451b99e1e2232595f02f818b27115b0d77c651c9202321879c4fed37231b9389001c3140ca199186e3a1d98c029e190be745c534de2304b225a8e3e638

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\41javaSetup.exe

Filesize
28.1MB

MD5
f2fd417b6d5c7ffc501c7632cc811c3e

SHA1
305c1493fca53ab63ba1686c9afdfb65142e59d3

SHA256
a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9

SHA512
289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b

Download Submit
C:\Windows\Installer\MSIC4C7.tmp

Filesize
202KB

MD5
9f84d910602183954bed6d9660600783

SHA1
82e3b122dc63e0a333bca531dd16667d5fafbf23

SHA256
bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e

SHA512
09fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9

Download Submit
memory/1380-77-0x0000000000370000-0x00000000003FC000-memory.dmp

Filesize
560KB

Download
memory/1948-1464-0x000000003AA00000-0x000000003AA10000-memory.dmp

Filesize
64KB

Download
memory/1948-1486-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/2064-1618-0x0000000000370000-0x00000000003FC000-memory.dmp

Filesize
560KB

Download
memory/2064-0-0x0000000000370000-0x00000000003FC000-memory.dmp

Filesize
560KB

Download
memory/2064-76-0x0000000000370000-0x00000000003FC000-memory.dmp

Filesize
560KB

Download
memory/2064-1752-0x0000000000370000-0x00000000003FC000-memory.dmp

Filesize
560KB

Download
memory/3008-864-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/3796-1604-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/3856-1611-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/3856-1617-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/4148-1672-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/4148-1674-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/4260-1710-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4260-1712-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4260-1714-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4876-1745-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download