Malware Analysis Report

2024-07-28 05:13

Sample ID 240604-d33dbabf9y
Target 938105f8ff32ee80432a1118a16c08e6_JaffaCakes118
SHA256 478840c248eac7c2241aed3c87299ac8f7c438704125ac97834a3c98736bdbe8
Tags
adware persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

478840c248eac7c2241aed3c87299ac8f7c438704125ac97834a3c98736bdbe8

Threat Level: Likely malicious

The file 938105f8ff32ee80432a1118a16c08e6_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware persistence spyware stealer

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Registers COM server for autorun

Enumerates connected drives

Adds Run key to start application

Installs/modifies Browser Helper Object

Blocklisted process makes network request

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Browser Extensions
T1176
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-04 03:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 03:32

Reported

2024-06-04 03:35

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0053-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\"" C:\Windows\system32\msiexec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" C:\Windows\syswow64\MsiExec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsAccessBridge-32.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\javaws.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\java.exe C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\java.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\javaw.exe C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Cairo C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Omsk C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Lindeman C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Fakaofo C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\rt.jar C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\cmm\GRAY.pf C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Dili C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Gaza C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Tokyo C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Tongatapu C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jabswitch.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Cuiaba C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Santo_Domingo C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Scoresbysund C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-7 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Belgrade C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Kiritimati C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jp2native.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Vevay C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Kiev C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\Welcome.html C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\servertool.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Dawson_Creek C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Rainy_River C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Taipei C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Common Files\Java\Java Update\jaucheck.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Belem C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\README.txt C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\ssvagent.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Jamaica C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Yakutat C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+3 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\UTC C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy.jar C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
File created C:\Program Files (x86)\Java\jre7\core.zip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\messages_fr.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\security\local_policy.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Matamoros C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zona\Zona.7z.tmp C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\cmm\PYCC.pf C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\jqs\jqsmessages.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Whitehorse C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Baku C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+6 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\release C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Danmarkshavn C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Nome C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Novokuznetsk C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Tashkent C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\COPYRIGHT C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaBrightItalic.ttf C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\psfontj2d.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Abidjan C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Jerusalem C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-5 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Srednekolymsk C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\javacpl.cpl C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\ext\sunec.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Mendoza C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Bahia C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f76851c.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f768520.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9898.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI98D9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f768517.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI97AD.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f768522.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f768520.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76851d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8997.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76851a.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76851a.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8705.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI87F0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76851d.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f768517.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\msiexec.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\msiexec.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "41994352" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath C:\Windows\syswow64\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_63" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_28" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_41" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_07" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0082-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0066-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_80" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_01" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_14" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_42" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0042-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Programmable C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_06" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_84" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_28" C:\Windows\syswow64\MsiExec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\javaSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\javaSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe
PID 2008 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe
PID 2008 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe
PID 2008 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe
PID 2008 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 2008 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 2008 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 2008 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 3028 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 3028 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 3028 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 3028 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 3028 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 3028 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 3028 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 2756 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2756 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2756 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2756 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2756 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2756 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2756 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2196 wrote to memory of 2992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2196 wrote to memory of 2992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2196 wrote to memory of 2992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2196 wrote to memory of 2992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2196 wrote to memory of 2992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2196 wrote to memory of 2992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2196 wrote to memory of 2992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2196 wrote to memory of 340 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2196 wrote to memory of 340 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2196 wrote to memory of 340 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2196 wrote to memory of 340 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2196 wrote to memory of 340 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2196 wrote to memory of 340 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2196 wrote to memory of 340 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 340 wrote to memory of 1228 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1228 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1228 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1228 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1464 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1464 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1464 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1464 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1968 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1968 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1968 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1968 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 2944 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 2944 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 2944 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 2944 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1684 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1684 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1684 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1684 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 2044 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 2044 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 2044 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 2044 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1500 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1500 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1500 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 340 wrote to memory of 1500 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

Processes

C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe" /asService

C:\Windows\SysWOW64\cscript.exe

cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs

C:\Users\Admin\AppData\Local\Temp\javaSetup.exe

"C:\Users\Admin\AppData\Local\Temp\javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 91F1903CA3051C497129C4D727DBBBA7

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 96247BAE181551994663A4C922D91289 M Global\MSI0000

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump

C:\Program Files (x86)\Java\jre7\bin\javaws.exe

"C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator

C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe

"C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\AU\au.msi" ALLUSERS=1 /qn

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 331B8157DC30E9243253CE3154569D42

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.7.0_80-b15

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" ru.megamakc.core.JavaVer

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" ru.megamakc.core.JavaVer

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\Zona.7z" "C:\Program Files (x86)\Zona"

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\appdata.7z" "C:\Users\Admin\AppData\Roaming\Zona"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zona.ru udp
NL 5.35.172.6:80 zona.ru tcp
NL 5.35.172.6:80 zona.ru tcp
US 8.8.8.8:53 w1.zona.pub udp
NL 5.35.170.40:443 w1.zona.pub tcp
NL 5.35.170.40:443 w1.zona.pub tcp
US 8.8.8.8:53 stat.miniload.org udp
US 8.8.8.8:53 dl.zona.ru udp
RU 46.254.16.107:80 dl.zona.ru tcp
GB 104.103.251.196:443 tcp
US 8.8.8.8:53 rps-svcs.sun.com udp
BE 23.14.90.97:80 rps-svcs.sun.com tcp
US 8.8.8.8:53 javadl.oracle.com udp
GB 104.103.251.196:80 javadl.oracle.com tcp
GB 104.103.251.196:443 javadl.oracle.com tcp
US 8.8.8.8:53 sjremetrics.java.com udp
IE 66.235.152.221:443 sjremetrics.java.com tcp
RU 46.254.16.107:80 dl.zona.ru tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\Zona\init.xml

MD5 87345acd801693604fe5aa01a858c536
SHA1 bb9783e66bc1f7cd7ac13182a29919759476cbe5
SHA256 65d75dc574cdc94e99bcce6b8c69c85aae873a8916c2b02883bcc2550588a7fb
SHA512 4d8efd36c8d31aaf19a19c9423da9dd68aed35fa4a12e47d1ca59854d22388bfb8f3839024791614cea4809cad2eb2dddcc819d41c6775d45de302edddc67d48

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 c4ddd8174175fe005fec019ffb8d137f
SHA1 49cf4a2ac9907cbe95defbe59c3850303e32a4ab
SHA256 aee0d3f353c402462e539c3f0e2b9c4e0afbe241b73fa3db356010b5ff892a91
SHA512 33c5d8d3d2c3a74cc70cd3e02a2d98e08cf96cbbd7a0d5d960ad359945234026a02eeabfd7cf829f58dd27286b7e24a53430100310b4a040a2a106604ac00dfb

C:\Users\Admin\AppData\Local\Temp\hd.vbs

MD5 d8682d715a652f994dca50509fd09669
SHA1 bb03cf242964028b5d9183812ed8b04de9d55c6e
SHA256 4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba
SHA512 eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 6b10136a6f45b5dc7d027deb3e9856af
SHA1 1e3d069f07f971fb624966a46d0e84f089945d71
SHA256 fbfc8dd5217becced256b91a10a9e51bed0c2d54ffb5d8b6ca4450f052d50176
SHA512 70732e8c944e0ef1bb94abd872648b2808580cc1929fda173c96a17675aa209b35fbbce3a6571eee0d44ca1aa02665c8df157ba57c5421b77fee87862a7bb4f5

C:\Users\Admin\AppData\Local\Temp\Cab172B.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 2b39267b34010711642bc1a13fd51064
SHA1 cc0746837128983b9913a0d1e181a31709885c03
SHA256 08ac47aa497572694318bb809541f7436a064d71fbd0d61b7935289a6ab9dcae
SHA512 353a57e499920946eb004cf026ef94bf27e34e81596a3a615e3f3adc1f3fd5acfe12922c46a252b5355fd614dcc3873989acfab5c145369d6063ceadbea7cbe2

C:\Users\Admin\AppData\Local\Temp\javaSetup.exe

MD5 cca879f4cce35659eebff48d96b8911e
SHA1 1c95ed13ae5fd55d4ea243f2a80cde769176b368
SHA256 5ee98c5501dde664c53e5f72d195362182c7bdd9acf22f622a26f738fa283c59
SHA512 f3614f0c597e0c5d8ccbf773322b29873ad1723bb27771cd98a37751aba0a8f8e6d1db3685c2dfffc11686e32fc30b80b81b92bdb4058171e01955aa3b0f11e2

C:\Users\Admin\AppData\Local\Temp\javaSetup.exe

MD5 f2fd417b6d5c7ffc501c7632cc811c3e
SHA1 305c1493fca53ab63ba1686c9afdfb65142e59d3
SHA256 a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9
SHA512 289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b

\Users\Admin\AppData\Local\Temp\javaSetup.exe

MD5 b438166f6518c405b7649d2013e62945
SHA1 d00c2f392083229810ff1e9382d624f037a24095
SHA256 62889bb6b5216e546eecd75077e4e67bc50919a11f98e8fee66ea24eba86e250
SHA512 474536dcfbbf9e33b1171639f6e72daa611ae71a772a65357b14e0fd299b9382dbe26d258a6bc79ded274777c9f432dbeb60c04f2bd58114a29218bdde63bad8

C:\Users\Admin\AppData\Local\Temp\Tar8067.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07def53c39454925a29145c3dd99a2a4
SHA1 e27e13379b2ec716fa078e1d4f69cfffac9c6e96
SHA256 66bc3c2defcebef778839d1a94f8fdee12a20cd9f4aef38583d7c75390778878
SHA512 cf362f8732f57f6421ebb964f6a1d3a6042038e2f9a227690269621ad9271385310b9810af9f18daa91c6337357ac064f7b1ea3fa65cfd1a41c6464136dbda90

C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi

MD5 e24d9b483ce7a3a6a4406111883457f7
SHA1 0d5efff0d110c48f5e6f5d438967427f1e2dbf84
SHA256 dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c
SHA512 b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398

C:\Users\Admin\AppData\Local\Temp\Tar85BA.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

\Windows\Installer\MSI8705.tmp

MD5 9f84d910602183954bed6d9660600783
SHA1 82e3b122dc63e0a333bca531dd16667d5fafbf23
SHA256 bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e
SHA512 09fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 e47e4ec120e7acc89404750781ce78e7
SHA1 d671d32a11e34630230393e5812320f6417cf434
SHA256 9969eaeb5daa8aa3537a259a754cf484b7f12315e17751582aeaeadd7f801e36
SHA512 58152bf56febce917c791ce3dd188694882e3ad33e02ca5fa7b30708fc59d92465fcc599bdc0dd92861e0600cc63b795dca23caefe89a86e069031d0b9203e38

C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\Data1.cab

MD5 e6561127806a06979cdc8726b95be655
SHA1 0715cb80e7a36e88dc697f92677e4b6de709f1e0
SHA256 1d60ae47a064efa72df1c743742127db534b9b9a9e691aec9ddd899f0577288f
SHA512 d5e0799ca14845f70a1eda3c5c40072547f85fa6aa0e82ab2ec5e18b805c322999a9157e1b84d1670e58b9af39d8cd158c7dc1c3687493cb21ece14f6a800757

C:\Program Files (x86)\Java\jre7\lib\rt.pack

MD5 7f51e18ba8af00c26fad2761227b5079
SHA1 e82e5ff8741eed4144d85419498cddea0cf82da2
SHA256 d6dd632aa2b222128159b5bf1485a6544d9fb043354224a138dc8a9f654eec90
SHA512 cfca7081ced8b4b102d0750ccb115c30ee6e274b8477467e1e577afcf8f2885ee045afd716db9455cfdf00e41144726a70624290918ac99c8c57c045008ee963

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 6a86e8d216a77baa9084e18e231204a6
SHA1 6c1e488a58c0776519fb5eb4161d0f929aecb188
SHA256 49c96e06d4d875bd04d6dba41567347e0ca43f712b54dfcb240bbf8da12506d3
SHA512 6c4dddca4bcad858ff042a9f15da6226cf8c4a7c84215a1cba8b6625ef192d74451fb11a9ceb6c5a6450b71fec24c69d404505717c008c9009ca8e0a8a57c37e

\Program Files (x86)\Java\jre7\bin\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

MD5 0d46182b6134aa9c7acd16133d67e4c3
SHA1 7b5be3d65e5e744723bf55a08f9dc1042585d5eb
SHA256 c89091f2a4de2fcf10b30e54a74ec5764e2dfc0577f4f1d879ac8816e3b08bcc
SHA512 735b6c6bd69b22a71c15ae44c6fa1693700321dc3b4b2367ce05d5c37df62e45d1d3836c2c0f5e44be1036aeb11a533c2a4dbec55163b4a15adfa1c8ef75673b

C:\Program Files (x86)\Java\jre7\lib\charsets.pack

MD5 549bbcd204914b543dafee670f110834
SHA1 012461935191a55482e8c3d453d245e965a10a2a
SHA256 8ea5af036ec067a0abcf87b8f5921e2281ff9d259e1d4c3bbe7fa9037cd87d02
SHA512 b0346a2ec52ce47351286f27f347f5fea99e160aedde52bcf74e1629739704bd975c9c99d8db6be3b6bd45e7fa933616fa081eda49e9b911efcc031c7241400e

C:\Program Files (x86)\Java\jre7\lib\deploy.pack

MD5 b2a448112b7c886ccce9b6a3d5efd8a0
SHA1 660bc9efe960015b208a421b1a63443e7151024f
SHA256 928f6b847f94b920c462a08c43f0dfd3f7c40076b1cd60545523a5c27a4870ca
SHA512 871da63f4eaf16d77ba6c19c10d8ddd8e94f744c20a70e24793f837023d20e56698d85f67498bc06ec37b73a8f376c220afbe7f3884b00536b710ff49c339b3f

C:\Program Files (x86)\Java\jre7\lib\plugin.pack

MD5 47d6cfa1b01a6d41885504bbc3b1919a
SHA1 3838060f9d530c972d65f36fa38b265120a218aa
SHA256 93defaaf7f82e2e9565b27dd31a41c89e02d1b7719d0da0b940a55dcc75b91e5
SHA512 b0df9b174624234aaeb2b50cf611f698377925a0ae5c5ee9da46c65fcecf4d28941d1bf2332316d9327981c1f8c6c4fecf750e013f04eef63f5df52d27593135

C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack

MD5 c8dc1cfeaf0fefc39ed0f1de4eaa175c
SHA1 11cacbb9e5724d37789455de37a225d8e0c648a1
SHA256 da2803a283d28882182e1e280b4f25ee1579a5805e73fcc9882e63968f102a8f
SHA512 6b419ba94ae90f8caa3a57690f2ec7e249c9fb8ab86819439621cde1243c7636ee76820622ce32ed483ce76976f7ced74778898fc2725b1a2407b039fb53508c

C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack

MD5 dfaa6429468d56ef77932cf26a495f75
SHA1 8a21a29225640f1829ae328a24ef9cb5e215a4e0
SHA256 8c481a549acfa58b1bac0385906febe33a928d004a529fec505b6a9228678fed
SHA512 6c19ed573b111315648de0646441486729b304452c15b2282938460a2339db0be4e1eb19cf6f2bf17f73037811ca2553a15957ea96b9d9af64a93045407c1148

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 5b93de169a0bd853f32bfdaf9e885266
SHA1 e6850d771dcd7f27a0665ae5080dcdae642fa51e
SHA256 6314766e2917819c9cb29c18dea7fd607245cfb1c52736469bbc852641e395fb
SHA512 80a57fcc46b0503ae4289778fcc05b2c1108c3a79b1092401d2823e1cbde0c44cdcd0c02daabf9edce9922d9b5948629f8c63dd156536a72a661bd781bb276af

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 d1f4a10785bfa8018351b92ad22d00ab
SHA1 93cbb107d1d4e35ee973224c55954cf5e4a06a45
SHA256 ca73497a93117064a3cc9f5dbfd8109d99cf381066c0fc987f1e31924e5c3e12
SHA512 72197539687d5f9b4a0de7b902477272fd0c26f661495658feecc259de9d0ce606dd75ae2c1ae9fa2ee687db3ab460ba12b43fc88d3bfc69b2075fe14e30813e

\Program Files (x86)\Java\jre7\bin\javaw.exe

MD5 64e2bb67ea740860510dcc5c2b6ffa2d
SHA1 6c5996358264624cdb4a075acc4f0b46177cd259
SHA256 844ab2231f45fad60d81770ea36d9937da9aa72cd905ce06e7471ddf9d69263b
SHA512 ed24331883ada44d8b034f5c8bc458e53234109d5cd02a27989972033f5b3305d23365106ce80be81caa16e472c14c103e457a1e0d138eb0d95036e58d877462

C:\Program Files (x86)\Java\jre7\bin\java.dll

MD5 a258a133f7d565600647a248ab95792c
SHA1 1c6a855ca1fc04413b906b0b17609eff38317161
SHA256 81ad5696a6fcad89127fc7a428636d431b446ff1ee0c37bf87e8d513a8bae7af
SHA512 bf9dd97947eb0c71243ae28255af54b06d9e17af7ade666538dd93f9fdf6d8fbc3855f48bfaf6522dbd9ce3c6cff655581f092709670606d033f2321b1f4a5e7

\Program Files (x86)\Java\jre7\bin\verify.dll

MD5 cb89b1d71061f5ec52468528ecc0b1fc
SHA1 6feb23a8b5719c8997de92c7da644807fcba8819
SHA256 87d8d59972e73700507c07cee8750b0053c6a0899410338722a00c2803d39ee6
SHA512 2ff0ed38c7f28eb7ea16f24a0841dfb3306c4fec48ded5fddec8c3140f1a425433a444fe6b6cc4c17b3a39841c8ab0c23d7c9525c119c1b9d6daac2c17a4e4b0

\Program Files (x86)\Java\jre7\bin\client\jvm.dll

MD5 27147e1e3faf9b5ccda882cd96f2a85c
SHA1 7103f60121727917f812bfc7cdff5347fc17cc8e
SHA256 500d359211ece211cf672de328345876f016fb4a476b2a03cbc3b8b89023ae1f
SHA512 0866c604911e243687e7fe721142eb882b19691c902736b59ba304933463d8c9154ecc319b91c9771cee8139e151cc2a2e960bc7a93ed97352cf5232a0964194

C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg

MD5 5147cce789cd18ad6b2996eb89e5d866
SHA1 756f1fffe96ef581f0d4d47253523544c89a2622
SHA256 c471d622198461715f245d478484fc7c8de533313c56e922931a875460a5aa88
SHA512 55f53adb70b1cf741cdf0dee74d92d2bf4c96954a760afae289972a0ea9bb27bc5eb4df1bd41829c7c484211fcb294fe296a4d560d8a1cdbb8c707b3bf2a79a6

memory/1496-921-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Program Files (x86)\Java\jre7\bin\jpishare.dll

MD5 4cf2dff54d2e12e3ab637fcafa7d4c9d
SHA1 dcbd0a027b8017ac396741698dfc3b3f4d1b4c39
SHA256 8ff2bc130db2f1fef2e6470adb58bcdba1d2133f9ad21ebd7d80fedd3e537e21
SHA512 a206001ceaed2df91428f1b7094246e4e7318bf4e7b19c475d4887b5eae49714ff7fa3cfab4133004a51280cf36549b73eecc87428b0b38294297545e9493e67

C:\Program Files (x86)\Java\jre7\lib\jsse.pack

MD5 31b4d9c29d29567b0ae3037fac9fbdc6
SHA1 8b5d1b1a309177466d71a742414d441f600ea38e
SHA256 9f031f2f1292bb311c400b0a93a11b78a08f013332b1263ea58617b6548862eb
SHA512 b4a8a3a1e837f98a3164e19a6fe939819eb336892335de975822890b52b5923d85fee4c4e5464ccb0d46c847f37f7da98a839aadbf4d20fca355f396a53836c0

C:\Program Files (x86)\Java\jre7\bin\javaws.exe

MD5 2b4493bb1f94580c41def972ea9a887e
SHA1 880ca8b20c6df9a6a176b91cc50304cb0fe66d06
SHA256 841339373958786d9c93a7dad5de8fd213ed6b5ad69623f5a5762a453c48e0a5
SHA512 b43e54f2c1f3e0a3c3d2fcee518e47d17476bb735606351e41b49e97e10af758ea9a539ac370a2d12cffa93e3e752e829db969968664c59386f65b732c29e40e

C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll

MD5 bc3a575dfb1a58d35e8617f2966bf1ea
SHA1 6353630f62e246d7f462134e8d10a7a42935e20f
SHA256 c029fd3c6ffd2158d0633fc122786838a6f5d3cc7ef78bbe934697015c8c63dd
SHA512 c976da30d343f8e104bec72300dc0c17e582e380f0a3ae85b242dbf2d5b40459feb4a3b7789fb8d755b21cbaa0940038d20dbbf1296a48e77b461092abbbe514

memory/1760-945-0x000000003A000000-0x000000003A010000-memory.dmp

C:\Config.Msi\f76851b.rbs

MD5 3ee7a12a1a7256b588e9dac51eeada80
SHA1 08bce3194322073d4076633578cb6454611b0212
SHA256 8fabd25867c9e00aec552cd173a82266c88a4862326797d4140012a238127532
SHA512 d17e3fecc0ccb1516fb8099f0f0f9f66bd92ea1442138636c9bd42a7b880da08e086514e6d8a6d8309f859a2bfc66f46eb4ea92c8c3a04d5fdddff28a15c4c64

memory/2284-992-0x0000000000270000-0x000000000027A000-memory.dmp

memory/2284-991-0x0000000000270000-0x000000000027A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

MD5 5e71080f2f89493864939c13932f7047
SHA1 e8cfcbc6bcab4041ed1551eac0e4847d30cf868f
SHA256 984aee64ed14518836ff4998df913f0041923488adebc7451b5be44797ff6996
SHA512 2c16b6982768c07ace77f1afa31d1e1c226b3012821987852183eccb947ae5290efa3433b61aac36ea920aec1d611c1beb4a64e55deda0ffa900dbddc05a3284

memory/1760-967-0x0000000000190000-0x0000000000191000-memory.dmp

C:\Windows\Installer\f76851d.msi

MD5 55d7e66e49c3994eb5e1004a5efd22b1
SHA1 aa8a045dc0c161e95804f76efe27f1f572072fa8
SHA256 0a833d92b4d4aa068b0cb256b87c0d3495c3cc4a021be86c072095fee467b379
SHA512 2492ca442c4f6aab1f085a54bbbc1a95b836f033f1c8748fa6c3873997a397020baedfc1f661d751afe30ade3ab14b66a676a4731696b6c90c5c3adfa6c2bd2b

C:\Config.Msi\f768521.rbs

MD5 8d8b0ba84190427a42a82b68ae94623e
SHA1 41d5f5075e1020d4e04234abc13772f9de9c3750
SHA256 461bb1307a8770260951cf7d597e2d29cff4104277f74d1796572ce01537f5ff
SHA512 8c93ffa5babdd071d5064a10625e389a1183ba711149533c8f18c80823037e180b33beba96b0ac91d5b177620c43568edd82e7567de6dd7d69cc77c67af44f99

C:\Program Files (x86)\Java\jre7\lib\javaws.pack

MD5 491bce42c6cd8af88a2e11f37711ed4f
SHA1 3de7c18fee44465a6afe34e068f2a64dea9fa324
SHA256 ee43869ee94eefe241d661101ff6a03cc276f8e558967b1b350ea088f1dad2e2
SHA512 1e5f99466b77b5a82c23449434272acf5746811ef96b98105f89b3339ccd86734d7713c94b773755219345d673a761a356fbe846a38e7893bd8894e43cf102e4

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 2b86d39053fc6e56bd766e03b26a52c0
SHA1 ef3dc18b0959019ac4501feb955921fb0053907f
SHA256 a0c4e58373a32071c13ea9d822f62773b50746a310cd371e425a2156963e0548
SHA512 b156b87ba767de35d4be1738eebd393fc584c2294f529834f20d63d5179c6b198925c68b94af63243bc667fd5f87792886af2225c1f3d7933e311b75ad1bc173

memory/2284-1111-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2524-1110-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1584-1140-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

MD5 b8fb107bd13db98220f268c8934f9966
SHA1 9ae449edd077dbe9fc765619a318359a03284b18
SHA256 54319cb0aa82dc67dffada8af6e5fdb235b0c27575f4c7ddfe7a6f834243d3eb
SHA512 af996421da8f6655c62693db73770777b981334e368c0a288b8e7ba5dc20577adc7605336cb0a1d65ae41f0e4cae09e572ccf657c9c35aed679b0ccf17e1941d

memory/2284-1153-0x0000000000190000-0x0000000000191000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 bd4e0489cb9f4fc2e6059aa3df5c27f0
SHA1 bc024757c92cf551aabf7dae8cbf278e963ca72f
SHA256 34856961800915f9b7b03bfd767f6fd684bb659e776d1e43134cea1f54b75fe0
SHA512 a4d505d01b3f8775aea49a1656934e90d42969b0e8d972b089259563dd74c44500e0dd6b89aef1128b6a91494aad228023fddab05346acd029db5da12d687aef

memory/3020-1197-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1972-1226-0x0000000000180000-0x0000000000181000-memory.dmp

memory/1972-1279-0x0000000000180000-0x0000000000181000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 03:32

Reported

2024-06-04 03:35

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\unpack200.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" C:\Windows\syswow64\MsiExec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsAccessBridge-32.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\javaws.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\java.exe C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\java.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SysWOW64\javaw.exe C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Bogota C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Iqaluit C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Reykjavik C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\axbridge.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jawt.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Bissau C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\rmiregistry.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Thule C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Kathmandu C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Canary C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\decora-sse.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jp2iexp.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\nio.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Metlakatla C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Damascus C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Hovd C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Jayapura C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Chatham C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\ext\sunec.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Caracas C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Indianapolis C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Nassau C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Madeira C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Zaporozhye C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\javacpl.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\kinit.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Bahia C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\splash.gif C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Belize C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Eirunepe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Maceio C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-3 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Amsterdam C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\README.txt C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\currency.data C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Niue C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\EST5EDT C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\ext\sunjce_provider.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Porto_Velho C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Pohnpei C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\dt_shmem.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Adak C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Macau C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Monrovia C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Moncton C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jpiexp.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\messages_fr.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\deploy\messages_ja.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\San_Luis C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Tucuman C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Tallinn C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zona\uninstall.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\jpinscp.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\ext\sunpkcs11.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Almaty C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Jakarta C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Pontianak C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Rangoon C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\fxplugins.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\javafx-iio.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\bin\pack200.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Taipei C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F03217080FF} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58da13.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE56B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDF10.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58da0f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE144.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58da0f.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\msiexec.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "51432224" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" C:\Windows\syswow64\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0062-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_47" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_45" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_65" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_21" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_43" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_50" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_63" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_56" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0052-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_22" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\ = "Java Plug-in 1.3.0_02" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0033-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_06" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_84" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_19" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0034-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_19" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_56" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_84" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBC} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0045-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_45" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_59" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_68" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0042-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_04" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBB} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_27" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_62" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0067-ABCDEFFEDCBA}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0070-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\APPLICATION/X-JAVA-JNLP-FILE C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBB}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_11" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_01" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_76" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBC}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_86" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0033-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBA} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe
PID 1900 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe
PID 1900 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe
PID 1900 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 1900 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 1900 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Windows\SysWOW64\cscript.exe
PID 884 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 884 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 884 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
PID 3224 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 3224 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 3224 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\javaSetup.exe C:\Windows\SysWOW64\msiexec.exe
PID 4420 wrote to memory of 700 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 700 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 700 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 1252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 1252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 1252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1252 wrote to memory of 3608 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 3608 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 3608 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 1668 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 1668 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 1668 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 656 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1252 wrote to memory of 656 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1252 wrote to memory of 656 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1252 wrote to memory of 880 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 880 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 880 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 3216 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 3216 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 3216 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 940 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 940 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 940 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 468 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 468 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 468 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 1988 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 1988 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 1988 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
PID 1252 wrote to memory of 3644 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1252 wrote to memory of 3644 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1252 wrote to memory of 3644 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1524 wrote to memory of 3464 N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1524 wrote to memory of 3464 N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1524 wrote to memory of 3464 N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1524 wrote to memory of 736 N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe
PID 1524 wrote to memory of 736 N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe
PID 1524 wrote to memory of 736 N/A C:\Program Files (x86)\Java\jre7\bin\javaws.exe C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe
PID 1900 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1900 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1900 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1900 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1900 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 1900 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 884 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 884 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 884 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 884 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 884 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe
PID 884 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe C:\Program Files (x86)\Java\jre7\bin\javaw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\938105f8ff32ee80432a1118a16c08e6_JaffaCakes118.exe" /asService

C:\Windows\SysWOW64\cscript.exe

cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\javaSetup.exe

"C:\Users\Admin\AppData\Local\Temp\javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A9C4038176EEB6155AE1211299E5CF3A

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding EF6BF19A27F46829687798580744CB0B E Global\MSI0000

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump

C:\Program Files (x86)\Java\jre7\bin\javaws.exe

"C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator

C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe

"C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" ru.megamakc.core.JavaVer

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" ru.megamakc.core.JavaVer

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\Zona.7z" "C:\Program Files (x86)\Zona"

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\appdata.7z" "C:\Users\Admin\AppData\Roaming\Zona"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 zona.ru udp
NL 5.35.172.6:80 zona.ru tcp
NL 5.35.172.6:80 zona.ru tcp
US 8.8.8.8:53 w1.zona.pub udp
NL 5.35.170.40:443 w1.zona.pub tcp
NL 5.35.170.40:443 w1.zona.pub tcp
US 8.8.8.8:53 6.172.35.5.in-addr.arpa udp
US 8.8.8.8:53 stat.miniload.org udp
US 8.8.8.8:53 40.170.35.5.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 dl.zona.ru udp
RU 46.254.16.107:80 dl.zona.ru tcp
US 8.8.8.8:53 stat.miniload.org udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 stat.miniload.org udp
US 13.107.253.64:443 tcp
GB 104.103.251.196:443 tcp
US 8.8.8.8:53 rps-svcs.sun.com udp
BE 23.14.90.90:80 rps-svcs.sun.com tcp
US 8.8.8.8:53 196.251.103.104.in-addr.arpa udp
US 8.8.8.8:53 javadl.oracle.com udp
GB 104.103.251.196:80 javadl.oracle.com tcp
GB 104.103.251.196:443 javadl.oracle.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 sjremetrics.java.com udp
IE 66.235.152.156:443 sjremetrics.java.com tcp
US 8.8.8.8:53 156.152.235.66.in-addr.arpa udp
RU 46.254.16.107:80 dl.zona.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 2.21.189.164:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Zona\init.xml

MD5 87345acd801693604fe5aa01a858c536
SHA1 bb9783e66bc1f7cd7ac13182a29919759476cbe5
SHA256 65d75dc574cdc94e99bcce6b8c69c85aae873a8916c2b02883bcc2550588a7fb
SHA512 4d8efd36c8d31aaf19a19c9423da9dd68aed35fa4a12e47d1ca59854d22388bfb8f3839024791614cea4809cad2eb2dddcc819d41c6775d45de302edddc67d48

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 10466272e1f4799583d71314db2ea690
SHA1 18c25916639d01127a3752d4b4f17ce7578b698e
SHA256 0c5e81cae3cee9a10f89bb20a948f6e5596391eae4f69deab753c5eae6d87c8e
SHA512 a5d4dfb3e3fbb26268c73c9d748ac9011c97721b493fd25cbdace65932512d5b06e2ffbb772fb8eaf36171154840a39924d9adbefe67f26e7478cae14e4326a8

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 22f90029714048958d48563a10774868
SHA1 9c7f32635692c76371972a5caa5b3fd96601cfb2
SHA256 dcc6ef9e0367ebdd85fa27095f46315e1e28f1f3117c7ac31f4a59d11b4a574a
SHA512 38c85357e4351201a631d1312656d8f306bafb19b27b351adf4c2b19621799525351aebb577cce9719a6fbca951dab32f104a1ce16d62b1220b868f046ce0dad

C:\Users\Admin\AppData\Local\Temp\hd.vbs

MD5 d8682d715a652f994dca50509fd09669
SHA1 bb03cf242964028b5d9183812ed8b04de9d55c6e
SHA256 4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba
SHA512 eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 e4ae10d72c6a29c7dcfd783419cbbc52
SHA1 89a1bf3e732705c760233bd712b2798788a311bb
SHA256 bea420a2ebcd9cc21a1a074a98d36280fa8f52b58dfecfa48415bbaf34e37d80
SHA512 2657d94aa16e903651e947103187fe7b48d489722517dd1382e6f46b4b8afe43df8142c583c2b99faeae5a893bcd57045cdac96cfe2da1e6df9a39c1b1ecfc0a

C:\Users\Admin\AppData\Local\Temp\javaSetup.exe

MD5 086e502a75504ddcd3a7f31dd2558b54
SHA1 3fc18732d2853d5a6295c57d79d0694181acc7c9
SHA256 78514037c0451396dc7785675670daad02f22a2d9f2309701cc6b5a108723c44
SHA512 d412ec3ac8e7d9c866911b48bb9425d5d8a5561ec811f00a536687895d3508e47b665fa4e417d97241100bd12c336431d36631e0bd560d0342d574661e351f5d

C:\Users\Admin\AppData\Local\Temp\javaSetup.exe

MD5 1c35470cf9dd0ee899a0b51297780067
SHA1 24b061076666c8cca1fd55692da280b9c17479a5
SHA256 99f278ba4fe8c0211e3474dc22ebe826757388f628086c7aa40ce34549a3971b
SHA512 aaab89936125a5c469c34fb1c73dfe9c0611d2541a8133cd67969f1647685eb15b46e2d412e83090548531cbfd30c6b3d2d95d33ebe5a1cf91b55317fe0b48e7

C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi

MD5 e24d9b483ce7a3a6a4406111883457f7
SHA1 0d5efff0d110c48f5e6f5d438967427f1e2dbf84
SHA256 dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c
SHA512 b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 b3398ccf35ead6e06f9c5eb8b863afcd
SHA1 95be73ad94d2cd7acbe560a715d2e19bb109be3e
SHA256 493a646df8c997b05a5a5d11fa68f66e2f7c7ea2009674e056c4ca4dd2ec72f8
SHA512 8f56b4996654eee61371f7a41c958c85080b5fac47cdcf02966f70de3727f4da59519c0ec44434d54b75630b834ff9c0e56192550e59641a31003e1621fe2eba

C:\Windows\Installer\MSIDF10.tmp

MD5 9f84d910602183954bed6d9660600783
SHA1 82e3b122dc63e0a333bca531dd16667d5fafbf23
SHA256 bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e
SHA512 09fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9

C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\Data1.cab

MD5 8f7102beba0becefe8a1da6a1bdc9b2e
SHA1 e66b688cfb3b53eb471123cc23c03fda47ff0d3a
SHA256 f16cf123cb24a38015064e1dd2599d9d2e276df4455a946cc16bc6b0646aa77a
SHA512 a6772f4c69f1dd7822794b1373aa5ca88a2250f6442873c94d2324e1d6f76dbe2ae6a947bdd4f1880b2666b7e9a232da3ac04c05f357259dae0d6f85b11bab14

C:\Program Files (x86)\Java\jre7\bin\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 525bf7f5b63ffd5e86fa3aee92551c21
SHA1 bf3cd939fe57f5076afbd231cb5b1b0ea03ba5d0
SHA256 e0e88bda4bcbbcfadb1009060372744f8b3f3628ae29b1d310a99255ec76aa7a
SHA512 825d048f8a3eb7ec88bda27eaf34b5c05a9545a12d48d29fc264aeae571fb2b4aa2957cd1b5459d53dc5d18b7968760d47136a6ec099c5612c3a7ab677b24d73

C:\Program Files (x86)\Java\jre7\lib\rt.pack

MD5 b6d75e8c90c79af1579769f10b1e5c88
SHA1 146cb3f05fa161885e8faf079fa2bbd89b5c5b18
SHA256 82dc6806d9ec9eb16604f90a5c78d0d882b69a0e718d8f6c3c6b7c9719887b7e
SHA512 02cdd0c0d6e71bc09120db2cd3b9471c0176567d92bb74a08c13e82c1d23722eb4afac41583a11dee3fc531fd442754ee0f5cb964898ec036ddd432947996037

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe

MD5 0d46182b6134aa9c7acd16133d67e4c3
SHA1 7b5be3d65e5e744723bf55a08f9dc1042585d5eb
SHA256 c89091f2a4de2fcf10b30e54a74ec5764e2dfc0577f4f1d879ac8816e3b08bcc
SHA512 735b6c6bd69b22a71c15ae44c6fa1693700321dc3b4b2367ce05d5c37df62e45d1d3836c2c0f5e44be1036aeb11a533c2a4dbec55163b4a15adfa1c8ef75673b

C:\Program Files (x86)\Java\jre7\lib\charsets.pack

MD5 549bbcd204914b543dafee670f110834
SHA1 012461935191a55482e8c3d453d245e965a10a2a
SHA256 8ea5af036ec067a0abcf87b8f5921e2281ff9d259e1d4c3bbe7fa9037cd87d02
SHA512 b0346a2ec52ce47351286f27f347f5fea99e160aedde52bcf74e1629739704bd975c9c99d8db6be3b6bd45e7fa933616fa081eda49e9b911efcc031c7241400e

C:\Program Files (x86)\Java\jre7\lib\deploy.pack

MD5 b2a448112b7c886ccce9b6a3d5efd8a0
SHA1 660bc9efe960015b208a421b1a63443e7151024f
SHA256 928f6b847f94b920c462a08c43f0dfd3f7c40076b1cd60545523a5c27a4870ca
SHA512 871da63f4eaf16d77ba6c19c10d8ddd8e94f744c20a70e24793f837023d20e56698d85f67498bc06ec37b73a8f376c220afbe7f3884b00536b710ff49c339b3f

C:\Program Files (x86)\Java\jre7\lib\plugin.pack

MD5 47d6cfa1b01a6d41885504bbc3b1919a
SHA1 3838060f9d530c972d65f36fa38b265120a218aa
SHA256 93defaaf7f82e2e9565b27dd31a41c89e02d1b7719d0da0b940a55dcc75b91e5
SHA512 b0df9b174624234aaeb2b50cf611f698377925a0ae5c5ee9da46c65fcecf4d28941d1bf2332316d9327981c1f8c6c4fecf750e013f04eef63f5df52d27593135

C:\Program Files (x86)\Java\jre7\lib\jsse.pack

MD5 31b4d9c29d29567b0ae3037fac9fbdc6
SHA1 8b5d1b1a309177466d71a742414d441f600ea38e
SHA256 9f031f2f1292bb311c400b0a93a11b78a08f013332b1263ea58617b6548862eb
SHA512 b4a8a3a1e837f98a3164e19a6fe939819eb336892335de975822890b52b5923d85fee4c4e5464ccb0d46c847f37f7da98a839aadbf4d20fca355f396a53836c0

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 6395ef19c45e81bddd74837a1394acb5
SHA1 92a97d8fa5c76891d0df4b4d9812370ee85859b9
SHA256 a0da062ab80c0dc8d84f51bd76faf53001cd4b48bcbc0ddae6d75e210ea92ccb
SHA512 5bb7439566d386aa46774e71378284fff75855f2b5971345d54e5142a23a9488a49b1de2a9533d37cb3f33c8d50cc64727daac7c96ca6dd3779144379a068fdb

C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack

MD5 dfaa6429468d56ef77932cf26a495f75
SHA1 8a21a29225640f1829ae328a24ef9cb5e215a4e0
SHA256 8c481a549acfa58b1bac0385906febe33a928d004a529fec505b6a9228678fed
SHA512 6c19ed573b111315648de0646441486729b304452c15b2282938460a2339db0be4e1eb19cf6f2bf17f73037811ca2553a15957ea96b9d9af64a93045407c1148

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 cc147c8509b89de26462cd73e51d3df4
SHA1 b37e85f40a18c1832530a760b309799378f7f6a9
SHA256 2f0f162f348b4020566418fd30c090fac83883284dde7c163b923f68d0886c69
SHA512 b8ef88fc7c91371605dc12a6fae41fa576836ad7eecbf728cd78ab5de9b235c221d5f43d2e9f9adc234f6ae5c3e823dd1b213aaa0340aa8d341015ad393a3e93

C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack

MD5 c8dc1cfeaf0fefc39ed0f1de4eaa175c
SHA1 11cacbb9e5724d37789455de37a225d8e0c648a1
SHA256 da2803a283d28882182e1e280b4f25ee1579a5805e73fcc9882e63968f102a8f
SHA512 6b419ba94ae90f8caa3a57690f2ec7e249c9fb8ab86819439621cde1243c7636ee76820622ce32ed483ce76976f7ced74778898fc2725b1a2407b039fb53508c

C:\Program Files (x86)\Java\jre7\bin\java.exe

MD5 88651044108e995f9801e35d2582491c
SHA1 abbf404c0253d085223a64ab947e1057c4211c9c
SHA256 c7fd72a0730b377c6da5ac80cdaf5f4cca84cc999a563a4c420fe5a8576810f8
SHA512 486b1d7ad7c3debcb8d70f9351adb08c8321c4cfb409a00ff818be1dacdc376a0eded630ccdc74aa99cc472589b88c9681989076fd78eb109759d33e7bf70543

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 250dd63c170bf6cc59e2a7a34edb348b
SHA1 da811a6038e340332de88fe1c2a574ee1bb8a8a8
SHA256 f46f4d796f236751d277dc24184765679d409c0e454ae07587ca09e0710a0f1f
SHA512 ffc14529043f3231ace3beda1cb14de9ef37d24221d462138eb8fe9cb255eacba42bb864e41a575b7c14773ae577f6e44afcd408f2415678f1019895e3c376c4

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 7745b3cea25e2e1b15ee9ff72fab79fe
SHA1 718ad1be6be51f94aece7be6fe5e88b727aab003
SHA256 90c09660fc320d3be05c0b598abdd1259c9f4c632095b85ff6f7ce80a7b1da5f
SHA512 18f133a7ff86f957027b8ef3c84d5f9cd38593b3f2c4603ac1cbd7ae537e660eb44026888f52895c6fdc458dfcc5aac63519e2b36f4acedbd7fb124c29ceeea6

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 d2c611a13ec2cd37d228aad0305dc734
SHA1 b7d5dd93fb333c96f9d0c516fc862a1f6dc31ae8
SHA256 648dac2d3607a22d24056d6d29f1e43343c0e812faffa92a381f627cc42789d4
SHA512 5e73bcfaf14e4a45068a74623e9ed39276844efc6269604ea231f1457c5837605e34ebc7fbf106156b0d653c3a0ce90bf0817d09a44a7b268718747506da70d3

C:\Program Files (x86)\Java\jre7\lib\javaws.pack

MD5 491bce42c6cd8af88a2e11f37711ed4f
SHA1 3de7c18fee44465a6afe34e068f2a64dea9fa324
SHA256 ee43869ee94eefe241d661101ff6a03cc276f8e558967b1b350ea088f1dad2e2
SHA512 1e5f99466b77b5a82c23449434272acf5746811ef96b98105f89b3339ccd86734d7713c94b773755219345d673a761a356fbe846a38e7893bd8894e43cf102e4

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 e2aaff5f40ba3fbc2df129ed2157dd19
SHA1 8d6b9aeeae45922687e24365cecffdc0e4997f08
SHA256 1e1a1fcf7c15b8f6019b1696765c696e69a510bb25fd29daa4f8286b206e738a
SHA512 e1e5a42c4b5bac65b4747b149a694d738fe7e4e7c5398ef564885796e4d9d3cf5ae4ef1cd2066dd6ba24463654c090d79ac84e0f1ad76575155deab8088e6843

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 a2623660c345873243bb8f88145663b5
SHA1 d8cabac7b4057649bb6ca31504719fb0881c7190
SHA256 3532daff57c2b70280ef79edf17af55d108b2d46b88bdbf248fab74db2a43d14
SHA512 60dc96479ae28a9011dee7a2e8ff2cb60ab548a6164ba8f5562fcd1cb154362677a68c98c62aa62333ac9812d4ddb3e332957efdbc5acfb5eade18f111c21f6e

C:\Users\Admin\AppData\Local\Temp\java_install.log

MD5 18f48d6714640435ab93cad409e10070
SHA1 fd33c178274fb08adb77cf5c695ce29ba32417bd
SHA256 f7468e1cf9cb05006bb7eebf4ce106f98828351ac7d8637486794ba90e5f5bc2
SHA512 632e4957e610ab787ed9a2cf3e8d988acb16e4cfc4d4df9b52682ca54fa4f7fed980b7b5dd69b1c4dd71554894ee5e5199da630b721f3c7403652f923a16dcc1

C:\Program Files (x86)\Java\jre7\bin\javaw.exe

MD5 64e2bb67ea740860510dcc5c2b6ffa2d
SHA1 6c5996358264624cdb4a075acc4f0b46177cd259
SHA256 844ab2231f45fad60d81770ea36d9937da9aa72cd905ce06e7471ddf9d69263b
SHA512 ed24331883ada44d8b034f5c8bc458e53234109d5cd02a27989972033f5b3305d23365106ce80be81caa16e472c14c103e457a1e0d138eb0d95036e58d877462

C:\Program Files (x86)\Java\jre7\bin\client\jvm.dll

MD5 27147e1e3faf9b5ccda882cd96f2a85c
SHA1 7103f60121727917f812bfc7cdff5347fc17cc8e
SHA256 500d359211ece211cf672de328345876f016fb4a476b2a03cbc3b8b89023ae1f
SHA512 0866c604911e243687e7fe721142eb882b19691c902736b59ba304933463d8c9154ecc319b91c9771cee8139e151cc2a2e960bc7a93ed97352cf5232a0964194

C:\Program Files (x86)\Java\jre7\lib\meta-index

MD5 8bff510abed2b6fcc5a83eedb65b1766
SHA1 ba6d0cd7504a5baeb963501b8bdf315ec6cb355c
SHA256 afb4850419612e0daf1876a5d61120ed0ccae241f188c25c014602007b3a765b
SHA512 8786bd672ce9c53f4c31f8206d621eb06ae7527f9adf3700955cc1cb928dde145b684666a5eb4ac11301541f585970ccd377ba144da351741e3cb5769b6ff522

C:\Program Files (x86)\Java\jre7\lib\rt.jar

MD5 bac77d8d145bd553c7efdf7978d9dff0
SHA1 31da52beb0237a6ffd6ebc4a766d92f12a226fb6
SHA256 a85b24d93ceb6095691838dda51d31bc5e8dc94663514b46c48d7c41d351aad2
SHA512 2aabc1986338a68cdecf6d46afd6492a90940d9412bf8f7ad7c6183091403a784244ecf1007dc3875a892c0b1c2557f5de31f387011ca8db657f4367f5fc86ba

C:\Program Files (x86)\Java\jre7\lib\classlist

MD5 1a0b7592ab9c12aff1191dfd225154ca
SHA1 3d3fb5f326f2caea866028558834ae684a2fe09f
SHA256 3837e95826d2273a54e3869efcad1521e000215428a2c7ee9397b650834ebaf1
SHA512 b2932400b6d8c72d344cb0592f121623dd848dcdd341248cf18cd55cd0c4fbd7f923057d022f89586ec6062299d756a37b3ff4308f10865de6ba68b2ee530fe9

C:\Program Files (x86)\Java\jre7\bin\zip.dll

MD5 1ecf056944068b933ba71cda3edc4a68
SHA1 2052b2138db0d9a368942470b41bb6fc5b1d4007
SHA256 35ce7ab154a38e97951714e17f7689873d89e8c01188de6e5cd741bc0ca3e384
SHA512 cadf312841d392a9970cc068b72063e17454d5e6738b46ec9622257d9dfc0bcad0d9420352752bf7d8f8e8ceaf6aca97d83896f753dc12cfeac3e5efb5e1ab05

C:\Program Files (x86)\Java\jre7\bin\java.dll

MD5 a258a133f7d565600647a248ab95792c
SHA1 1c6a855ca1fc04413b906b0b17609eff38317161
SHA256 81ad5696a6fcad89127fc7a428636d431b446ff1ee0c37bf87e8d513a8bae7af
SHA512 bf9dd97947eb0c71243ae28255af54b06d9e17af7ade666538dd93f9fdf6d8fbc3855f48bfaf6522dbd9ce3c6cff655581f092709670606d033f2321b1f4a5e7

C:\Program Files (x86)\Java\jre7\bin\verify.dll

MD5 cb89b1d71061f5ec52468528ecc0b1fc
SHA1 6feb23a8b5719c8997de92c7da644807fcba8819
SHA256 87d8d59972e73700507c07cee8750b0053c6a0899410338722a00c2803d39ee6
SHA512 2ff0ed38c7f28eb7ea16f24a0841dfb3306c4fec48ded5fddec8c3140f1a425433a444fe6b6cc4c17b3a39841c8ab0c23d7c9525c119c1b9d6daac2c17a4e4b0

C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg

MD5 5147cce789cd18ad6b2996eb89e5d866
SHA1 756f1fffe96ef581f0d4d47253523544c89a2622
SHA256 c471d622198461715f245d478484fc7c8de533313c56e922931a875460a5aa88
SHA512 55f53adb70b1cf741cdf0dee74d92d2bf4c96954a760afae289972a0ea9bb27bc5eb4df1bd41829c7c484211fcb294fe296a4d560d8a1cdbb8c707b3bf2a79a6

memory/3644-828-0x0000000000C70000-0x0000000000C71000-memory.dmp

C:\Program Files (x86)\Java\jre7\bin\deploy.dll

MD5 87ec9d4a00d34eb6a0f8f92e1d1cc08e
SHA1 bee4ecae201905096dd44d1d348ecb3556d90832
SHA256 352707a271a9ab5d0e190a539b6468d6c6c5ce9675b300acf2305aa1f30625d8
SHA512 5b7f9866168ad7948a5a80078b14ff747201d17922ca907072a081e0078f6ac68446ddd36b027b4a17f5afa7d1bb4962642cff28cf66867171ebb78735f242d2

C:\Program Files (x86)\Java\jre7\bin\wsdetect.dll

MD5 958bc8d82e4d0a5b51536bb4fc4fb6d6
SHA1 626312fa01c72ec5c85c9262ba0ae97a8b1f5b25
SHA256 2ef891881d506084ed182a0ac58b10dbe8c45877ef889ac9105f19431beee4ca
SHA512 fe17b58e3eed817619bebf6d091aee99fdc331c9c5a4163e9f5993b41b2e7362365da210e0636755ada6b8838012de1bc5435b8670aa12f378a3c9e3a9f5af04

C:\Program Files (x86)\Java\jre7\lib\images\cursors\invalid32x32.gif

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

C:\Program Files (x86)\Java\jre7\bin\WindowsAccessBridge-32.dll

MD5 1722510af00ea3c7406681b47bf442f7
SHA1 cafac266d52d78d3743c31ebef22a894781e0de5
SHA256 4010a3ec604a327861bedf01626c12eaded9d381b6e4f0e6f760895838834a21
SHA512 31a2ce3d5eb9828cbb82d2a7e29f2c5bf46528d38f25827329512cedde37bd03b3cfdba0aba3320b6c0e7779588958e83bff735f6059aad37172598e70e863eb

C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+5

MD5 a2abe32f03e019dbd5c21e71cc0f0db9
SHA1 25b042eb931fff4e815adcc2ddce3636debf0ae1
SHA256 27ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78
SHA512 197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2

C:\Program Files (x86)\Java\jre7\lib\zi\MST

MD5 11f8e73ad57571383afa5eaf6bc0456a
SHA1 65a736dddd8e9a3f1dd6fbe999b188910b5f7931
SHA256 0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e
SHA512 578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

C:\Program Files (x86)\Java\jre7\lib\zi\HST

MD5 715dc3fcec7a4b845347b628caf46c84
SHA1 1b194cdd0a0dc5560680c33f19fc2e7c09523cd1
SHA256 3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08
SHA512 72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662

C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT

MD5 7da9aa0de33b521b3399a4ffd4078bdb
SHA1 f188a712f77103d544d4acf91d13dbc664c67034
SHA256 0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d
SHA512 9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6

C:\Program Files (x86)\Java\jre7\bin\javaws.exe

MD5 2b4493bb1f94580c41def972ea9a887e
SHA1 880ca8b20c6df9a6a176b91cc50304cb0fe66d06
SHA256 841339373958786d9c93a7dad5de8fd213ed6b5ad69623f5a5762a453c48e0a5
SHA512 b43e54f2c1f3e0a3c3d2fcee518e47d17476bb735606351e41b49e97e10af758ea9a539ac370a2d12cffa93e3e752e829db969968664c59386f65b732c29e40e

C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll

MD5 bc3a575dfb1a58d35e8617f2966bf1ea
SHA1 6353630f62e246d7f462134e8d10a7a42935e20f
SHA256 c029fd3c6ffd2158d0633fc122786838a6f5d3cc7ef78bbe934697015c8c63dd
SHA512 c976da30d343f8e104bec72300dc0c17e582e380f0a3ae85b242dbf2d5b40459feb4a3b7789fb8d755b21cbaa0940038d20dbbf1296a48e77b461092abbbe514

memory/3464-1428-0x000000003A200000-0x000000003A210000-memory.dmp

memory/3464-1450-0x0000000002B80000-0x0000000002B81000-memory.dmp

C:\Config.Msi\e58da12.rbs

MD5 5b3763ea38065e463e48af89fc992db5
SHA1 0b49e07df7327cb90e56e1a53ea8dca272e8834f
SHA256 fcbaa96292395532b29059a80aaa8b8dc116b743cdfbba2d94e5334ec81bf2e0
SHA512 cf6bffc89438d3ad6b1f7f26763df714068fe30890126d73f50ec4dcc76eb38a720824e2c4fcf792be7811a1024fe99a1ce7b2a955186dcf824112bf28c63e92

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 c636419de001996a641621f51ad35d9f
SHA1 f299fc6bbfdfc4e04a248fbf3a40e503fccbbf3c
SHA256 fa69ccbd24067deb0bdb358ca8fa54bbd7b59fd74c1a275d2ebc98cdfdab2b57
SHA512 b9482c0e95e4ad263458d1464d5790948f500e56874782c0397337a912783435cbf782f7f1900dbee0b0d826fbe6e55014989de6cea8ac112d05298b9a8fe6fd

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

MD5 67c507c1e5812360234851fa19b6ab8c
SHA1 f8529f66ed2242d92d6a8205ce00c2a9a58034db
SHA256 c39bd53b003fa563b5e417781fed340fd12ee840a9d50d2373bd9639a1b96a55
SHA512 314d5a6322785cdecc11be87bdeb88b41717f2f01e1a13f7200feba614d5163556a25d09048ce8e7ca61bec4c2184741ea442e74564e09fefde3e5972fd516cf

memory/656-1551-0x0000000001260000-0x0000000001261000-memory.dmp

memory/736-1558-0x0000000002E40000-0x0000000002E41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 e9f86a1298511d345653f46c8e81d38b
SHA1 6a0be31ee4f648f9703bc7170445c4cd82e96347
SHA256 8962e002f78b2dab64a4fac591b247d5ae059abe498bc813f42253a1d3f0a442
SHA512 b7d51e226d706771feb27855159928d3d8db1d9e2b5d8d88fa90615a59e30dc2d6d9424692ade68abbd7ec491b846db8dfc5de803202977bea54ffd30cabe7c5

memory/736-1597-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/736-1603-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/2708-1632-0x00000000011E0000-0x00000000011E1000-memory.dmp

memory/2708-1641-0x00000000011E0000-0x00000000011E1000-memory.dmp

memory/2708-1649-0x00000000011E0000-0x00000000011E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

MD5 c3f3b0d50b60125267e8c7aa6a763e20
SHA1 b9cbd5eb2280f56a2a3fd4acaa84dc9e0dc661d4
SHA256 a807f8952161e68e5f9a05bbd319a78ce8678d08f98e7a20f41233c4e035d06c
SHA512 e51b33574254dd581d710b2def4ef103f351ac41f0e220bc35b3becb53e55f26ff09e962da46398e07f16f6723f9ea97e2d7326ecfbcf7ca9e58b5387ad36a85

memory/3460-1678-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/3460-1704-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/3460-1732-0x0000000000FE0000-0x0000000000FE1000-memory.dmp