Malware Analysis Report

2024-10-16 06:38

Sample ID 240617-xyzams1bkc
Target ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe
SHA256 7befc08954b8847b35e82bb40e6aec8f69807c5a5c8861c35463c818f4628377
Tags
persistence evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7befc08954b8847b35e82bb40e6aec8f69807c5a5c8861c35463c818f4628377

Threat Level: Likely malicious

The file ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence evasion

Sets file execution options in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

Enumerates connected drives

Blocklisted process makes network request

Drops file in Windows directory

Drops file in Program Files directory

Resource Forking

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 19:16

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:19

Platform

win10-20240404-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZoneAlarmUpdate.exe C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZoneAlarmUpdate.exe\DisableExceptionChainValidation = "0" C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Program Files\7-Zip\7zFM.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Program Files\7-Zip\7zFM.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\GUT667B.tmp C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\npZoneAlarmUpdate3.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_iw.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmCrashHandler64.exe C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_hr.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateHelper.msi C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\psuser.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\psmachine_64.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_zh-CN.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdate.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_pt-BR.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_am.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_ca.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_gu.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_mr.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_ro.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File opened for modification C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdate.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_es.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_it.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_da.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_fa.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_fi.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmCrashHandler.exe C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_el.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_sl.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_sw.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_tr.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_hr.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_el.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_fr.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_bn.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_ur.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_vi.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_lt.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ml.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_pt-PT.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_it.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_de.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_bg.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_ta.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_te.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_zh-TW.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_bg.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_en.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_kn.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ko.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_nl.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ta.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_te.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\psuser_64.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateOnDemand.exe C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\psuser_64.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_en.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_pl.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_cs.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_en-GB.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ms.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM667A.tmp\goopdateres_cs.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ro.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_vi.dll C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e588ff6.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 C:\Windows\system32\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3}\CLSID = "{D5B80838-9D7E-4A94-8115-17A76F676AD3}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\AppName = "ZoneAlarmUpdateWebPlugin.exe" C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\AppPath = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0" C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\Policy = "3" C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\AppPath = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0" C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3}\Policy = "3" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A} C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8} C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\AppName = "ZoneAlarmUpdateBroker.exe" C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\Policy = "3" C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD29A878-82EC-4F08-97D7-8C7C691892F0} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBA995AE-E466-4EF5-B49C-16C2BF29305F}\ = "IZoneAlarmUpdate3WebSecurity" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86BAA25A-9A0A-4F50-BCC4-1496BBDFBF6D}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF42CD96-EED4-43DA-AB7B-B91BE0F7FEF4}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3065C225-61D8-4BD8-8341-BB49BB3A5257}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE1B13CA-C8E2-46D6-B5A0-02FAD7485323}\ = "ICurrentState" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601B182F-F89A-4B53-B847-7987B45D5290}\ = "IPackage" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A90FC543-A20F-4B53-A2E4-4E7923933F8D}\VersionIndependentProgID C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A86AF1BE-D06B-4569-B99A-814124EA8B20}\NumMethods\ = "11" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5C6BA10-52D1-4AB1-8A40-FF24B9705E0E}\ = "IAppBundleWeb" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A575A3D-7CEA-422B-9F46-5BBA3BD3FFFF}\ = "ICoCreateAsyncStatus" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.OnDemandCOMClassMachine.1.0 C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFD71C6F-13FF-4E4F-BAAF-097A1E12B523}\Elevation C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ZoneAlarmUpdate.exe\AppID = "{332EDDAF-849B-4BF4-AB55-91A7D145A5D9}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF42CD96-EED4-43DA-AB7B-B91BE0F7FEF4}\NumMethods\ = "4" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8C715AA-73C2-4603-BB9A-7B67492B2D6A}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\ = "PSFactoryBuffer" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D4E3B9-85B5-4402-B456-516E9B4AC7A9}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3065C225-61D8-4BD8-8341-BB49BB3A5257} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3WebSvc C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3WebSvc\CLSID\ = "{0F558182-190A-4A14-9683-30DA54A05BC5}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8515F47F-2E88-40E3-BF7C-8F6B35F9582D}\NumMethods\ = "10" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E203DBE4-F5C3-40F0-8742-BDAF5E3C1E5A}\Elevation\Enabled = "1" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3COMClassService\ = "Update3COMClass" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92785311-171B-4358-A89D-11AC094F5717} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD29A878-82EC-4F08-97D7-8C7C691892F0}\NumMethods\ = "4" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8515F47F-2E88-40E3-BF7C-8F6B35F9582D}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC5AB8D5-6AFA-43B7-BDAE-06FEC4ECBE04}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B930D828-1FD1-4255-8336-1CDA396C671D}\ = "IRegistrationUpdateHook" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A90FC543-A20F-4B53-A2E4-4E7923933F8D}\ServiceParameters = "/comsvc" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601B182F-F89A-4B53-B847-7987B45D5290}\ = "IPackage" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CredentialDialogMachine.1.0\CLSID C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.OnDemandCOMClassSvc\CLSID C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8515F47F-2E88-40E3-BF7C-8F6B35F9582D} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC5AB8D5-6AFA-43B7-BDAE-06FEC4ECBE04}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4AB999-B493-446E-B067-BF3E1C1B872F}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7A50D4F-9FCE-48D7-B93F-A45944226ECF}\ = "IBrowserHttpRequest2" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86BAA25A-9A0A-4F50-BCC4-1496BBDFBF6D}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7A50D4F-9FCE-48D7-B93F-A45944226ECF}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B930D828-1FD1-4255-8336-1CDA396C671D}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3WebMachine.1.0\CLSID C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD29A878-82EC-4F08-97D7-8C7C691892F0}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601B182F-F89A-4B53-B847-7987B45D5290}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CredentialDialogMachine.1.0\ = "ZoneAlarmUpdate CredentialDialog" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D4E3B9-85B5-4402-B456-516E9B4AC7A9}\ = "IAppVersionWeb" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A86AF1BE-D06B-4569-B99A-814124EA8B20}\ = "IAppCommand" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CredentialDialogMachine.1.0 C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1557BFC-F8CE-4EA3-9130-9F461F91379C}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1557BFC-F8CE-4EA3-9130-9F461F91379C}\NumMethods\ = "13" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB9A0177-9BBE-4B9B-A615-E698F7C73D50}\ProgID C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{499D1391-3A6B-4F0F-844D-1DD9CA45ED03}\NumMethods\ = "10" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD29A878-82EC-4F08-97D7-8C7C691892F0}\NumMethods\ = "4" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD29A878-82EC-4F08-97D7-8C7C691892F0}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD29A878-82EC-4F08-97D7-8C7C691892F0}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF42CD96-EED4-43DA-AB7B-B91BE0F7FEF4}\ = "ICredentialDialog" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A24699BB-64FB-4AF5-A6BA-411D45392F7C}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1FADDBD4-5D41-4C31-89AE-37A6C1B63DCC}\NumMethods C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3133AA91-F4A8-4C99-85FA-6C8BFE86CE62} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A90FC543-A20F-4B53-A2E4-4E7923933F8D}\AppID = "{A90FC543-A20F-4B53-A2E4-4E7923933F8D}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D088BAD8-E92C-4500-BDBC-5CF5E239F40E}\NumMethods C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73E7D42D-2571-466E-9394-55368FA96512}\InprocHandler32 C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe
PID 4604 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe
PID 4604 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe
PID 4944 wrote to memory of 756 N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4944 wrote to memory of 756 N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4944 wrote to memory of 756 N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4944 wrote to memory of 1664 N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4944 wrote to memory of 1664 N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4944 wrote to memory of 1664 N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1664 wrote to memory of 828 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1664 wrote to memory of 828 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1664 wrote to memory of 812 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1664 wrote to memory of 812 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1664 wrote to memory of 1868 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1664 wrote to memory of 1868 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 4944 wrote to memory of 4032 N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4944 wrote to memory of 4032 N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4944 wrote to memory of 4032 N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4944 wrote to memory of 4404 N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4944 wrote to memory of 4404 N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4944 wrote to memory of 4404 N/A C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 368 wrote to memory of 4728 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 368 wrote to memory of 4728 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4228 wrote to memory of 1664 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4228 wrote to memory of 1664 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4228 wrote to memory of 1664 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe

"C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe"

C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe" /installsource taggedmi /install "bundlename=Product&appguid={814E4157-8A6C-461B-A80F-B75931228CA1}&appname=ZoneAlarmNG&needsadmin=True&lang=en&ap=ZANG_FW_FR&usagestats=1"

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /regsvc

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /regserver

C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe

"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"

C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe

"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"

C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe

"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuOTkuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjk5LjAiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDhDRUNBMEQtQTg5MS00MDU1LThENkEtQjgxQkZERjYyMzEzfSIgdXNlcmlkPSJ7QTlCRUJDRjAtRTUxMS00OTYxLTlEQzQtQUUwN0Y0ODc3QTQ5fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0iezk2NUM3MUY3LUYwQjItNEU5OC05RkIxLURCNTk1RTZGNjA4N30iIGRlZHVwPSJjciI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTUwNjMuMCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy45OS4wIiBsYW5nPSJlbiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNTQ3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /handoff "bundlename=Product&appguid={814E4157-8A6C-461B-A80F-B75931228CA1}&appname=ZoneAlarmNG&needsadmin=True&lang=en&ap=ZANG_FW_FR&usagestats=1" /installsource taggedmi /sessionid "{48CECA0D-A891-4055-8D6A-B81BFDF62313}"

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /svc

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateHelper.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe"

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuOTkuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjk5LjAiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDhDRUNBMEQtQTg5MS00MDU1LThENkEtQjgxQkZERjYyMzEzfSIgdXNlcmlkPSJ7QTlCRUJDRjAtRTUxMS00OTYxLTlEQzQtQUUwN0Y0ODc3QTQ5fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0iezAwREE3NTY3LTdCQUMtNDlBMy04RkNDLTMzRjc4MTIyMjI4MX0iIGRlZHVwPSJjciI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTUwNjMuMCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezgxNEU0MTU3LThBNkMtNDYxQi1BODBGLUI3NTkzMTIyOENBMX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IiIgYXA9IlpBTkdfRldfRlIiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI4OTQiIGV4dHJhY29kZTE9IjI2ODQzNTQ1OSIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjE0ODQ4NiIvPjwvYXBwPjwvcmVxdWVzdD4

Network

Country Destination Domain Proto
US 8.8.8.8:53 zupdate.zonealarm.com udp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 8.8.8.8:53 77.209.87.209.in-addr.arpa udp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 8.8.8.8:53 159.185.200.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp

Files

C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdate.exe

MD5 89fd362b23a35657a6336df3cfd64e7b
SHA1 654cb73032f37152a5246765f4b4d402689a0b55
SHA256 07535f001d9ff626d2b7295eacf881eee074b704a0ac6041d8ba4bc3e58d48b9
SHA512 9b9573e5863c4f837436dd5d0501faf6308efeb209294ae60944867b4ac1aa29dbaefbb7539118b963751843f04b9f789da45fce017e515949500f9da0f03fd5

C:\Program Files (x86)\GUM667A.tmp\goopdate.dll

MD5 572b21a1706173306e8d8a3ac8007117
SHA1 ba8edaa5dbdeeb93e8fd22db3580b2e4774e8999
SHA256 f93ff69079392ebe57ab5e23076d2661145434487731c07a961d316c17ad7d34
SHA512 fe7201c898184456555c3aedd37703bf5d806418686f0ed8ab1960a914169d23d8b6254eb9960a6cca3cf78c33ee1d329b6ccb7c6035eccb0bdc42c5c7508cb9

C:\Program Files (x86)\GUM667A.tmp\goopdateres_en.dll

MD5 972dbfb7a1e859eb98f4e538a7eb351f
SHA1 28869e21c5ec908f69366050f844181f4c9d2637
SHA256 97d8d9549ff2a214fce74ac746ded5b58681aabb70af4a854b324e45ecc16725
SHA512 8ca155487cc68fa465a127e121f085ce911879feca9bfc425d5fa83935178617e3b5889c471af78a3527cbcdcaff774b6ef6a70a2c57a144badd617b976f7b12

C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdateCore.exe

MD5 68274b512b5752d9a914e5ab1de5926f
SHA1 20cced7104ccd49128493e0263f5774248c31478
SHA256 735017aa118ef862fedfff0707d5fcbd2abc918019a0c2cdf191f5403f18e300
SHA512 3810ff02cf6914e93f8f2a8c8ab04e6ad941864e38d2f0a6fea3f6b9c08041a0620e4a768387821db31b6aa1026051fc0c2deacd739752445ceb9cd27e3a4236

C:\Program Files (x86)\GUM667A.tmp\goopdateres_am.dll

MD5 86a76c0d9a83f9bebe41b625451130a6
SHA1 462d8d69e0849e8060cd02e5c23f76a477997136
SHA256 60683f854f8ddb182c09106b2e12973f738b16209faa11e749a64be458e7c03f
SHA512 ab73e8ffcde809ece00991d477659c994ffeb518688cd0c531a328f3893af9b671606aca6239927b95aaf4ae8284007ea1229a0f2381ae32f1022c237c9ff923

C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdateComRegisterShell64.exe

MD5 4c4934b6b9275a2f5ec789a0ae4ec9ed
SHA1 2ddccb4f7e5b1e4c1a90670becbf64b94c5dbee0
SHA256 f3455a492f3f6f8319f8a35f49734c972d6cb3c4fb756e1eb2b6d6e37e36ffac
SHA512 524aef1ec4648013f5a25e3486a493d29d37dbca1f73613fe406c19da68cdbe10bac1735a5cafc388dac22e915c3a627775530575583b54ed42410c63163e430

C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmCrashHandler64.exe

MD5 a59880ae7d713204229829e14d658686
SHA1 fa8a1f5af1c3dd5d864fe47bc083d0ab2d30657e
SHA256 57679084e0bdd91f06e2bc47441f9a7f54b746898341f74a0c4d78f7e1c6c4b1
SHA512 8b11b6ca6e1b0097784fe9c60336da37291ff42f3175a849b56f68cb7d0572a647a96591969668fea9583d345cca2f77cf85e82535d137dc2376eda14ee17794

C:\Program Files (x86)\GUM667A.tmp\goopdateres_es.dll

MD5 15a860e025f056cdce88fa27d8c353fe
SHA1 ef17565ac1617b31f15264c689741df998367583
SHA256 1fdd0b09a513c1d47c384887677efb50d2632a561249743305f1e8b1d5c56363
SHA512 52949b64bd225931b591e424f6f29545f73ff6a4a757529e0998fea6ee1b772cac3ca33aeb143be5edc5dd51cb7aac34ffe4c5fc769cbc63a4ccacada56e4ec8

C:\Program Files (x86)\GUM667A.tmp\goopdateres_it.dll

MD5 73f622413790002ebf45254d1e5a1ea1
SHA1 53b55408dc9ed6eb01d310c8658ff57c971e4e45
SHA256 bb83a0d819210f548bbe99435fe9c1a8bc50788df6781cda2f6ca22d8c8cc05d
SHA512 f4ee01e70a1d8788367363e6cc572d4fcb12b85068668fefb41ff37e80c29e317157c4525244c4272c3fb66297d06b06a10a7437cb2d1b5a56bb204de67bb16d

C:\Program Files (x86)\GUM667A.tmp\goopdateres_is.dll

MD5 75d1f5388885e41c0a12644ae388ff69
SHA1 e318acc41d1b079a3446a0038df34032709d27e7
SHA256 b10707a5113d4849c409d3b59a1064c6399109c101405343c09dca1ee986ca6b
SHA512 bfe661dbc8aeb4020080fb9756a09b2adf0c26ce02bb7c497b61d83714e30ef0f1a3938a93686181b0b8cf66cf229b8652870b3f859fde3fba7301ae82f18d2e

C:\Program Files (x86)\GUM667A.tmp\goopdateres_id.dll

MD5 881f95414c50494ae62f2f8e0709204c
SHA1 ca987f51e990a2854bd561b4a20a002beb40caa2
SHA256 f44a7849d2fe42b07fbe0deb67e4112527452e31a0e1b09fa5eaad3d637d44a2
SHA512 800c30e31659aa864351c1df40f65faf7f9d55cf562f262b1b7255974cbe95d9228a2e044211d6e5bc82f23936b2a5121ea7e2a13c0a415511bfd343deb75719

C:\Program Files (x86)\GUM667A.tmp\goopdateres_hu.dll

MD5 ba003c4f7523132aac67a14becfd6ee5
SHA1 dcd59eed9eb2e117494bc78c16b6c3da2f4c6cf5
SHA256 1ad6bc6a61e71733b161a479d0dfd7c8f6b53ed4cef98f9cbee45c8f224a34d1
SHA512 480f014d753cbb71b92e46d5f7c497bcc9b60eab853f13cccb723188af4fadd1bc4d77d3d86fb7a4be6ed7e8219f53c3f0e3b1fdfae1ac504fc986fb76ada468

C:\Program Files (x86)\GUM667A.tmp\goopdateres_hr.dll

MD5 f10e945b4a0caa27b6c93bbe774a9a4f
SHA1 32e2572d329821a6b49213b99afaa84050de6fe5
SHA256 7461b8df4b23f27cdb8bf999102505be897ff8c18f781f34c1f7f73dbeafcce4
SHA512 919c8fb837fe44f8c6b8828708bca01a9ba77ab466d35350e1f113af056c6b6ad7a882469ba78fd623ede39c0811150cd81cec9f2ebf0b18acb86abbe0346952

C:\Program Files (x86)\GUM667A.tmp\goopdateres_hi.dll

MD5 673e16edc3eb0756fcb2bad19858fa8c
SHA1 125b38a399d677744fe6f9add31540c9583d6e64
SHA256 aaf237ab2ea80d3bc3628e9b9fec255ad6417b4f5fcf5351f0dc150998d46b94
SHA512 5e58ab604cca741865f65c2d371da14f43f9ed66ada19c38f97ea9db850215568bb81404dad93c7ca3482efa41e04a3e72fae5356071c09df05d1ac6abe84d9d

C:\Program Files (x86)\GUM667A.tmp\goopdateres_gu.dll

MD5 800144063550fb7a04eb285c3e352121
SHA1 05d9de686bf12de71f963f93b8e4d052bd20fe2b
SHA256 0e68bc976c540c659d31f4bd8c6a056891921d50642283dbe166bde69b75f25b
SHA512 c339fe2a31d985c6472ff14f65dc0b4f1f4994a9cc6b6742415a4f12ca250c3c5508595b52afb1795acd619d05aa4dd724401bfa6bc1e49f3d0700d71527025e

C:\Program Files (x86)\GUM667A.tmp\goopdateres_fr.dll

MD5 79cebac71c94ad83e4499bc217d72bdc
SHA1 84f3e0985062c053a5f977264783af02927b13d5
SHA256 87452cb3bec2fa99fe92d713908153c62c9019bb11df1b6e257a8fad946076b7
SHA512 0ec22277b7cd746b65cb6509297efced79cb14b6c12494322f8734b82632f0c7786d6b3abf58416bb88d2032fd9ede6ae548f869f5f49d79ad880bfa81225c0a

C:\Program Files (x86)\GUM667A.tmp\goopdateres_fil.dll

MD5 e97c30923109dc4f1e75ed9be51ff97d
SHA1 ed5326c45325f94bdcc485735a1ce7d17b6976de
SHA256 cad333c1800e6d5a046034e64315de2778287fcd192b3f30d39609173fe5d4f1
SHA512 bbd877d2139f32087d3512ecec3b3d16e44b9d2acfe3c91c41c20406075ae1156409df30f4753bfff4e61241067cde2c2aac92ea52254fe4988bee2dafb9e8a0

C:\Program Files (x86)\GUM667A.tmp\goopdateres_fi.dll

MD5 236de2af2c410c1a02a7fbd7b2316a1b
SHA1 54ff9d2b24ae48c8f9fcb279b54054734ccc6618
SHA256 006eb61aa3e9ea055b2c7d21374666fffd57bbaa262b65f26523d125d6448d37
SHA512 8e6f5e44cb04e84c413f064f30837db3b24f84a33325a937387408ab7d621a6cc884e6df9b434056df490ae998d45d79061fb79001138adf95273a941916114e

C:\Program Files (x86)\GUM667A.tmp\goopdateres_fa.dll

MD5 3a6e68fe872b293df90696996e76b38f
SHA1 a69b0192f3e768f2f11507e02c0cdf132e1aaab8
SHA256 41e166029b80e8c538f36bfabb7bac40bed848854dfd13e0bf8e8979a3511740
SHA512 3679c836ae3d9501d7f88fc107e09595c6a403bf8a4b1cd251cb443bddb0e84bf6660edc39fce0ec82c05a62e95299987b854ba91373b7b373127a4615f51550

C:\Program Files (x86)\GUM667A.tmp\goopdateres_et.dll

MD5 5b0b1b683839e8c406d1ef3665ae0536
SHA1 f8614acc851e1502fa7a066db7246c0f44267788
SHA256 4f74fb55665673bf7d3da440f1f30ce1f78c97988cee030a8bb79b137a3b7cf6
SHA512 857cc9301dd00d6321a03cd910673329ccfc267641c280a37798c5a2cf0a930a9f5dca4555989243f46186753d541f60f9ecd533da144320877548ed355d8479

C:\Program Files (x86)\GUM667A.tmp\goopdateres_es-419.dll

MD5 f82e1dfb6859590345a3743b8593dc87
SHA1 8050281431d32804231b3f9b03187d21225ae8ba
SHA256 0b43e4a4138761c0b3c9bba465d6bd137987d134d21bb135037cf2456c98fddb
SHA512 b43c018f8250b339b02bff466e7fa9a1cc547b0b48efdbd67100eaca507220f6189cbd9c7c753a97a7b0564fbb9815d91f588421682782f1463b6aba150df0d4

C:\Program Files (x86)\GUM667A.tmp\goopdateres_en-GB.dll

MD5 eb90f269714ff2571c5bdcadd6505ce5
SHA1 65bf50f255ce7e3c49067b702c5ecdb4e4aa774f
SHA256 5f3c880f47811825aee9bab9cafc292d10d9c801a7b2495a823e62c15b2929e6
SHA512 05a058bd7680cc50f3833b2e19b8c82ace2bad5c4da62cde8dd39937dd8f0a1b56481f03747d8628821922ba1e4fe9172416a60ec34d5ca64c8655452593cd0a

C:\Program Files (x86)\GUM667A.tmp\goopdateres_el.dll

MD5 aff8107d364418202f6a21b2b03cf9f6
SHA1 89101bcbdfcccdc6608ad3046b1d17da56c01c0e
SHA256 20749fd36930d8c58396409659670b005aa7cb270a610543ed151fc8501f7071
SHA512 e2392d732982d704c1d2fa894fd3c640e8be46731ff8ed140d0a71be567d1b866411afc5da296ef8087c2186d0d3f5f239bea571b152b72642bbb5215911c1a1

C:\Program Files (x86)\GUM667A.tmp\goopdateres_de.dll

MD5 08a0d1a5117893ae591b9106effe5247
SHA1 0e4a97ad9b157df75d9d954485acef4c1a3531e4
SHA256 5627427ccdadb0cbec2ac81347881a97d65bf8806ae45fa2d8d08d01e0c065a1
SHA512 164b053d225645dbdf0362a78b1850778363d534d2b19a75a0bbfcd3545ef05b87e6351fe3423103d8cf5199204b079760a66d872aee90b1da093a0029bed048

C:\Program Files (x86)\GUM667A.tmp\goopdateres_da.dll

MD5 bf8ad2db1e4cbc938dd903c799792375
SHA1 4bb18c34b7cdc52ed7a3e93e83f4d08150f29664
SHA256 7b5e8c0cb9043b3f1eaef9b64b695da2c6c0bb679027ce7867fa3eba01b37b5c
SHA512 2ca860f2cb4f8c841f36a03043671b86efccaa7a68283213c5f4881ea017dbe7a80ef3c4e25a21d66198692353327775e6d2bfb2dc9a72ca89011761e44ae318

C:\Program Files (x86)\GUM667A.tmp\goopdateres_cs.dll

MD5 4b8f45b7e1a39baccc048e4946926f88
SHA1 7fb7e577e6181ceaecbc3f7d0b8d125ad6ad3a81
SHA256 917e26b3a9fafce6d0ae133a1938f5845c4d8273629cfeefb50d373533f51a2a
SHA512 05eed9d216e475c655ac07dfaa03aaeae2d815934b7ed478835a7038ba87e5e2635d954546e9dd3456d74fa0f5ac8a715ad858b2e2473bf6f3d3185ff105b545

C:\Program Files (x86)\GUM667A.tmp\goopdateres_ca.dll

MD5 18b42252e2a7a5c50e22b351d1f9d3b7
SHA1 20c19214e0476290f3ec3396609992b735ffb118
SHA256 dcea9438bd4a16620c28d25169a2b023cfb0ce7ce2b8d713839e5001038e4552
SHA512 2903e9b85717f941f2ac9d49120069973ae6025de6d8a00d2a6da53950ef1fcc0d5b3f4c7ecf599451cce11062aff36c6f069dea911f42f0800148f899be97d7

C:\Program Files (x86)\GUM667A.tmp\goopdateres_bn.dll

MD5 af71383de3a520b7ce0585a8bf64368f
SHA1 0761a1e14f19385f8524b71be3882d357f070a86
SHA256 a71c82e6bb69da2231566cf012cba276fa0a3644d7cfc732d188ffb420a209ef
SHA512 832fed14a1e549e388e7094d5ad9f7cc54b2085c66cc2f7a5a063a01631520693179c244d4e02042eee2e22d082706d96868cb66ab7e4bccdba282a6d8be4d01

C:\Program Files (x86)\GUM667A.tmp\goopdateres_bg.dll

MD5 8eac2099a1e21bae948d6e149fbdabaf
SHA1 5516edeac6765bd5f30484611782764874b64b08
SHA256 a1062fcaf046c3ad0a13001045acc71dcde10f4802e6fa3caabb1b0f6d821555
SHA512 17e6d1f7c7c79957e8083304249f6f1810ecb5afda5eacceddfe954f5629ca36f7371f58f997cb9924c973b7e58c9d0b44ec803a81bb33f4d07acbc0547ffd3a

C:\Program Files (x86)\GUM667A.tmp\goopdateres_ar.dll

MD5 7415d9f09649006e0c1555313e2c3ba9
SHA1 3283f49898a6b4c5a7b39343b5843ebc4cf89b4f
SHA256 277e719233da022d585d1c1888140f02cc3a015f467ce8643658cb9e93d801af
SHA512 e4ac00955561c8dd7ecbdf6c701aea990baeb0fb7fd13328f355705529cabd7f5c661ecc746ae0c750e282c0e8255a25f587b252d6418110758f8ebf4d1d1536

C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmCrashHandler.exe

MD5 68351fedf0579636dbba97dd5e0efe80
SHA1 68473a8b1fffc7b0286891c3b19cbe0b6532e61f
SHA256 4613295b428618717cd9c11d35694aa13c0708483e4c15a620e75592ab30c5ec
SHA512 2b0b13cce89ef247b80ffbb3331881a9de9db60204b304fb96d4d76b1873447c1c541118e0fccdb54944d6b68b45ef74a78df0472978b14ee316a11bc340136d

C:\Program Files (x86)\GUM667A.tmp\goopdateres_iw.dll

MD5 2d8fe0fe40749487d3f343469cb4ed4a
SHA1 68151cc669a99f74846c1743e0803ae91409921f
SHA256 5108741ce1fe3ffc1fa866ac73bbb13726c8ad2d9f5d387c69b1a92ca234a7a2
SHA512 b578263113f5edfc26fbf893bb0d832f60235af3be361e20fbe64fe6ffc51cc3120e92fb75b348da1545ec0e449b6c2be004852e2a63024fee6c3dfc1b4dd4eb

C:\Program Files (x86)\GUM667A.tmp\goopdateres_lv.dll

MD5 5f2d6b0aa3fc70637ea0d86863f4e9d3
SHA1 66719518fc6204fa5b3cd5e881c33b385157a3a3
SHA256 fc4bb495fd17d999924ccf6b66a6cb010d27e4f2a7e5a63e152be7dead3bdf19
SHA512 8d6ddc7770b4b81b96f5be5b15e6b6079a00635298b268d1082a2a8af1385b8bf86783c8fe1b3369ee8002eab1049fb564534e8c76a22a5d74162ac6ca484e59

C:\Program Files (x86)\GUM667A.tmp\goopdateres_lt.dll

MD5 0d6edfe2f40d2d3cc88f0ce66290440e
SHA1 8885cfcd302a44a6a8fbf13a8b767f0efca3a3cf
SHA256 7d6dfc09351fb758e1f74a8c2fa437235ae9d9c25956d91b3c1a74e3c7ff6659
SHA512 995ef23434acc805452c1e501d512e911f1b24ba7ff68b16ba4bece69be8dec6127f051796a01829935a70054b1edc813ef85f284cdf2be9af63e0f813ccb9c3

C:\Program Files (x86)\GUM667A.tmp\goopdateres_vi.dll

MD5 429079c567a45934ba0f96f0fa8adcf7
SHA1 e255a17e31b9de9109aae80682d9aa1e08e1225c
SHA256 a5482b5cd705c7c21cf909271a21ca1d14ad5776eed3cde6cc172c1325fdec8b
SHA512 051f8842d8b98bac43143960c09aa6ee6e348243471db7689178e77b56eb7bb4a5c17dd1989a5723f4059c31ba85ac132f9d642cfcaa8dc7fdf22aad89f45e73

C:\Program Files (x86)\GUM667A.tmp\goopdateres_ur.dll

MD5 6cfec1ef3d0858cbe82f6216e4ebbe34
SHA1 ce902ab62bf916d73eacab6f124f0f68a123d83e
SHA256 651eac1234c920085234b905c18561a004093f6541259665aa7b60c98770a5a7
SHA512 8fd34677e6a6d25a39c9b6e6672ce3375b30b6325adc4411e57ecc1844961ef7818041a8af1039ca33044ef353754b9eab812696b75e0250f7e87c44c3333d0a

C:\Program Files (x86)\GUM667A.tmp\goopdateres_uk.dll

MD5 9e5bed7cfd75f31c673a7667429afd0c
SHA1 c08f3146849c381b0c6fadea5e32517e7fc8d1fc
SHA256 f2606857c9deee910ee531294cf718bbab1c68c3c5936c58a47c5e821f7cc818
SHA512 1b47666e537e4a1adcbc733721615f938f291b522bc7a486e4d4080073a9b325162be535a8ff7074a7ca7a11f7793e8894158cb95e13840250c42931d6283e7e

C:\Program Files (x86)\GUM667A.tmp\goopdateres_tr.dll

MD5 a07aa91448fc5dab182551080df5739c
SHA1 e413b60ecb5ac8424bad0aec45313081f0de6ed3
SHA256 64aad643d5cec54e9e4dd16fd8bf10bda663058d46ddafc28251e60bb5bee3ac
SHA512 062d44b7893a6f56c4d021e2dc4e1dea6fd64d94b8223ba4c7b19596a819c22ea2d90c289b254447ba0febe168c2c8a6a4431ca8f2ec344afbb74404ce11e559

C:\Program Files (x86)\GUM667A.tmp\goopdateres_th.dll

MD5 1b0e309b6d856586c7ab1512b416396e
SHA1 fd8b1e01aec80244aa301dc27ef49f47530b3f51
SHA256 19bb3c0e142b1d841cc8fd86062502f91201f4fd2aedc29d0896558bee454d8c
SHA512 fb3197899bc77384646ebfc2f6cec4074a1391bbbc64e6a65f931514d8f1ec6334e5f64426e2004a0398a34e1603957eb183fc4b1c8cafcb979878463022e11a

C:\Program Files (x86)\GUM667A.tmp\goopdateres_te.dll

MD5 2bd1cf9d36587a808c45de619265b207
SHA1 cdeda1c3e928795a6efbfd27b3e110d3296eab21
SHA256 ff308027487ad0c875b09bb4b3d7d18a93804ddc886b2ef76584e9ab17f9c00c
SHA512 6c35eb41e0254667024ddb2d0625e603deac6fc446f357d7ee55775c044987cb034ce9dfe29147478d21718f4670cf80e8c191d30b770d82e7340d48e2461948

C:\Program Files (x86)\GUM667A.tmp\goopdateres_ta.dll

MD5 e59d868f96c6613fb7aedf9aee5e1b40
SHA1 64f015ccb8ee522570af421dfd32a8487e8f2f70
SHA256 7ef30b858cbc4aab5512e03659658b80b0401446010b4435e8cbcc7650c2769a
SHA512 f45b7a17e30a36093c639ba9f6c8cad87425b152ea22e2ced1bdcc4711a04f62cf2f92cb618bb786e228479de6eec8fba141e80a221d50e50ec00fb1b388bf59

C:\Program Files (x86)\GUM667A.tmp\goopdateres_sw.dll

MD5 4fc95fd2175940f957f92cf58832b1fb
SHA1 4bde7901766868c553316108f4b17fdbb98b3850
SHA256 9002b369b2ef0d9816606b0147e182275a8e80739258a217544d8ff06d8ac8bb
SHA512 5e2938e1254cc8ebdd17666305f62566c5b02c70db4392526a50976b64092e490b50b72d524f1266b27dda3d671ebcf7f2f8f0bdd4ff2136f584b1b5d4a4a389

C:\Program Files (x86)\GUM667A.tmp\goopdateres_sv.dll

MD5 46b6950aeff8b442295ef7769f3b914a
SHA1 55a12cfd9bac7a72af96ff20ce38e3927df92237
SHA256 53910b87a82e5b10aa613bfaac7d598c7f860d1f0d623ca9871fee5351c52a3f
SHA512 40996fdf055003bb7b1b6839329dcb8843ffb96027168d618bf0425a7e5c70729bd8b65eecd3b41485833099aeb9941cb692d567d250b7cd244b1924a0382fc7

C:\Program Files (x86)\GUM667A.tmp\goopdateres_sr.dll

MD5 99f3846a87faf61723e4cf83b2042751
SHA1 65e04c48ffa53ad9880375b56908055176b7216c
SHA256 117c9b2f4a3e3b0cde902597672e49914f8e51bbc446c847f403003a1b59e0a2
SHA512 851654f07562c21211362fb57e6d48cf0257ea1a05a6880691e2b52cc55b6931a82888d67651e39d1a365b5398d61f4bb5939b43b024e7ca34b799e2abdcd18c

C:\Program Files (x86)\GUM667A.tmp\goopdateres_sl.dll

MD5 7d5e325576066992b32aa1040b1aa636
SHA1 e66fec8b63abc4ad17a73df55eab50244c71e939
SHA256 bfcfde4619a4508b250eb18903ddf7a803b3f1517316cd87901ec65ef0eada00
SHA512 3dc578d1e883e4a7fe62338cc61d71482e127025a5875b02893e127faea84f390f86aeedd1678e9f7811d430b9989228afd33456ea1a1001fdcd8201a49b286b

C:\Program Files (x86)\GUM667A.tmp\goopdateres_sk.dll

MD5 3b63a7a242dea58df351032f35060609
SHA1 41fd5437c44b9f761ea6743bf1fd3542eddc7a21
SHA256 69ee64d083f634aadef8dc1d71df808a945b8bd1c5abcb239fa727c77f5b2123
SHA512 bb5f6464bdcd122981bd1b1b93780a9c968590618fe6a4b1a5aa8d48519edca380a156bf66f4ca5499fecbd28bf5f5a10b30fbb41980f9c9700a9de9240793d4

C:\Program Files (x86)\GUM667A.tmp\ZoneAlarmUpdateHelper.msi

MD5 04ae2a984df761cf7f03e8ebae605422
SHA1 1fd95b89012cd6f74b923e6f99bc44c3d104ee7b
SHA256 f633034b2b466ff541bc4aab77b41c1d7a5490ef0cad81c70be07fe2d96b3a18
SHA512 fc8eed12356e633b70f4ef16c7a0b17611e1375208733d53b90545d701d51746e60d77b3af92e2f62a551640feffcb16efa8f5d64e440d82b3d8c47b46522aaa

C:\Program Files (x86)\GUM667A.tmp\goopdateres_zh-TW.dll

MD5 15d8ae5796f89352cf180cb52f945288
SHA1 d6428733ab5ed7ae658f7679bc13b2b174e11727
SHA256 317a0c699ee4ece5cb012b04eb3f097a5eebf1d5c8afa36599196d4711b56a8a
SHA512 0a6fe859bf8a1cd3c1a7c6ffccf309011ae89fcf769feec31ce3b1486d78d1ea22d9110085221d7698e41a4ee8f174f5e1d1ce8d2e5fb985f1d9bff145febaa6

C:\Program Files (x86)\GUM667A.tmp\goopdateres_zh-CN.dll

MD5 1dd286ef09d0c7b64c1ee48b7c3a0830
SHA1 bb83d95229f2a716080d188738ffee3689ea024d
SHA256 706800afaec480a42c5ed3865af6c25ab4bc87bbc8a35cfde6d93d93b1cc3a8a
SHA512 cc8eea141a6317579eed7076adfb7a88eb4bf1da82dea6e89413b8bba385a61b46be6ae20ff7bada5c78ec701d1c34dc2091b2f32f9624fa43d5ce6002eb1d85

C:\Program Files (x86)\GUM667A.tmp\goopdateres_ru.dll

MD5 a89c2184c391c850339da6f25ea72f50
SHA1 a47a35a5260c228d3ce3df3f279240bb1f667100
SHA256 8226f1e1f60eac1afc3df1662d9396bcc326a38ea1c770afc8a8dd9c3e64f77b
SHA512 83b9c017ef74b49e2af6553e3a6029cb4a17ca6dbb4bdeb07da8059d95ac855be2ab25838b17046f9aeead1175172b7fd15b2e15449301220cda2a717285ae19

C:\Program Files (x86)\GUM667A.tmp\goopdateres_ro.dll

MD5 e8414657ab77cd8a8918e80c30ed8dec
SHA1 d00225002c138665e10927f72689e35f23b54ca6
SHA256 d4a698c4f3e66051fb0712d4826f25d21df81e2d4fdd546c617211c1dfe4264b
SHA512 251f216e6d2f9642f936db8c39930df0253b5c6a533fcfab98b45e178d412d38f49dd9ccd654c8e96cef1aee7a581a2787ebda763a571d31c0007472eed7094f

C:\Program Files (x86)\GUM667A.tmp\goopdateres_pt-PT.dll

MD5 202558121ccbfe689603760da782925a
SHA1 4762305c924b7289c786f888d79ce56087f2bb63
SHA256 05bb2c7b93011ab3ba9449104ca48393d5c28d2d04dbed718508b91185e085be
SHA512 e4dc01644347448b9d8571459e82850d6b4525f069be92002142ff155671b2ea11c789ebd889e05398d1a9154ccba344d5f0c12e183f818160d46ea006866115

C:\Program Files (x86)\GUM667A.tmp\goopdateres_pt-BR.dll

MD5 066b22c0bd1c12a5bd6828e7847f7900
SHA1 a0a86aad7bc80858a87cbd51dc84512e0f5e3b25
SHA256 c8198ac41c933500cac9b945bfa2398d1dcea7811a3974ee36f70c1542b070e0
SHA512 99f41733e181116a026dd31dc28903c5cd4b82b51cc59d528d342754fe3651f39aafa0756474e1f15c54b5b7e1ac1d8985204f34e07eafb91f94ca2bd6977d69

C:\Program Files (x86)\GUM667A.tmp\goopdateres_pl.dll

MD5 da1b1f3449ac9de41e9175110c62ade2
SHA1 4a7345603fa10bbfc4ba1c63e88c66441e36fed0
SHA256 99fd3253f2024ba12450a6d29b0b9ca47ef56ea6d640b5d2f09da37dd82d91d5
SHA512 1a96a6355d8db434ee668bf9e85ee8cfb7c676cc548621e0c9ee2180deee8caf44fc9c0a3b253c753346cc215453a7e557927ad448ae06aba76ba22c264d5d81

C:\Program Files (x86)\GUM667A.tmp\goopdateres_no.dll

MD5 09364c51c16e949e602af1acd880a00f
SHA1 a35435756a45a7cbf1badf7fb05aed51be35650c
SHA256 bf369881d57f224a96549fb54ee0b2cfd764b89cb9e0019ca00d0d19056c03db
SHA512 2b8b0df0a3f18d335e7addfc7d3f92041e5376600b30d808be7c0592c55e22478660afc41477fcc0c4d7dbad1c826c3feaa675204053743a6eca8b46115bbe2e

C:\Program Files (x86)\GUM667A.tmp\goopdateres_nl.dll

MD5 e0b463b5c0667fe3f160ca378a18a1d2
SHA1 f20889edcce1392b8710dd50bc78671eb0c09cc5
SHA256 de840b2acc718ec4ccbb4a288e8168b12641374c90dacf5f83919c6c4c03a7d8
SHA512 6308546fe6ebb9684e9615d81e674a89758142895b9d59ee26a262cdef193d078107bd68b5efe90382b48fa1358e4f79c0c682830051940b7f81dad1feeb9015

C:\Program Files (x86)\GUM667A.tmp\goopdateres_ms.dll

MD5 68f44901f067d7695b4faec7ccb378d8
SHA1 8629111bdbc9c6892e66fbc519a0817afccd6452
SHA256 a736aac59f85aef8d6d3d6468bbebb7699161f24dd22d10022ada8c2fa0099a1
SHA512 7f1b80835d4893ad14303ea77946aa57c51a0f126e68f3dd6d4d40a656790d50dafb74535b10a1faa6e32709be7bed6eb4e21dd998ee86e15464dcb6ef4769fc

C:\Program Files (x86)\GUM667A.tmp\goopdateres_mr.dll

MD5 484eac1b49dd74b6d4c89c61518baae9
SHA1 a76015a7a8a783ada2d31a7e65f896e769463cde
SHA256 7eac0b6a5af98cd34a8f615d6defbf5ea2ad631919e5c95523686757e87f2113
SHA512 76c0ecd138402e0a1288c4ce8eb9b94dbc2f208adf1625d48bbf83feb8b0f3716e5b037a733f7e40dce7e6f0c73009b22489128b60a832163f36427bc8f96f9c

C:\Program Files (x86)\GUM667A.tmp\goopdateres_ml.dll

MD5 9617b0959ffa41eecac6ed081210b524
SHA1 3e9231477dd99b23084f9a6bdb14874b4c966eb1
SHA256 af9845f8903766cd2ed8219f250546c481ff942e567e13fb58590ad64cf6e34c
SHA512 29b7a8474bfcd89aae3613c215f6e603d8450484529d561a2ddc2b74b4e778cdcbd1108685430365ac2c2f0fb41f8171174387fa8f8ec970136c5f044e68bf9a

C:\Program Files (x86)\GUM667A.tmp\goopdateres_ja.dll

MD5 2ff56ae3ad1f85f383aa42a086194909
SHA1 974b9a041b8675af0b236d3bad1840c4291f296a
SHA256 3f77466a5c975d435320e90e7a25e14c84f0dbd1ad4e4ce03525d6d3d10f44f8
SHA512 bd72469fe8862f88b2d3ce628ce54e44af3d3cc5e043121efce4c2fbe73e984b3b7938d4877c2d4e29378db9d12940ca65425909fe8f3e34024fd867849b3996

C:\Program Files (x86)\GUM667A.tmp\goopdateres_ko.dll

MD5 5292300ddbecc2720487cae40114b8de
SHA1 49f2ae760099cac4ab7ca2bc28f791e85d75448e
SHA256 0ecce413a9c3d5eded88eabf59de164e1feaf830b55377d02f1425fb7dda88e3
SHA512 337919647d8a4f34067bea95ac3f393ed2ed0dce1a5ec4c54187ae989d0f2c6f4f74a409ca0c41fbf795ec2fdca4204e6a88cf75281b61a8674cec84351f96b3

C:\Program Files (x86)\GUM667A.tmp\goopdateres_kn.dll

MD5 b566ee792ffc0ffaac2e072db0f9d3d3
SHA1 35d214bb5e17fd946831d39acb00156f32d7e8d6
SHA256 83df16287dcdd5812a3f9adf41003b768df9ca6001d77331314ccde3c8525c8a
SHA512 7c941011b1ac64c63c28bb15d1132e2b611698b8d701a1e0823a8120a35c713709f2d44e35ff884688b13d9906b1b2c3c324902c97d72caaa164acd23bb51453

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:16

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:16

Platform

debian12-mipsel-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:16

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Command Line

[/tmp/ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe]

Signatures

N/A

Processes

/tmp/ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe

[/tmp/ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe]

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:19

Platform

win7-20240220-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZoneAlarmUpdate.exe C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZoneAlarmUpdate.exe\DisableExceptionChainValidation = "0" C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
N/A N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
N/A N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_sr.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_zh-TW.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_en.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ru.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\psuser_64.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_iw.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ja.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_sk.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ko.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\psmachine_64.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_te.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\npZoneAlarmUpdate3.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateWebPlugin.exe C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_pl.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_fil.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_hi.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_kn.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_it.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_vi.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\psuser_64.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateOnDemand.exe C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_no.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_te.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_et.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_fr.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_es.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_sr.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_tr.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\psuser.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_fr.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_hi.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_es-419.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_sw.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ms.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ro.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmCrashHandler.exe C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_hu.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_es.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_pt-PT.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File opened for modification C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdate.exe C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_th.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\npZoneAlarmUpdate3.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ru.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_lt.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_es-419.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_sk.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_sl.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_uk.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_sv.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdateWebPlugin.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_bg.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ur.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_en-GB.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_am.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_fi.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ur.dll C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_sw.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_th.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM1F92.tmp\goopdateres_zh-CN.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\Policy = "3" C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\Policy = "3" C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3}\Policy = "3" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A} C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\AppName = "ZoneAlarmUpdateWebPlugin.exe" C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\AppPath = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0" C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8} C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\AppName = "ZoneAlarmUpdateBroker.exe" C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\AppPath = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0" C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3}\CLSID = "{D5B80838-9D7E-4A94-8115-17A76F676AD3}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{332EDDAF-849B-4BF4-AB55-91A7D145A5D9}\LocalService = "zusm" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1FADDBD4-5D41-4C31-89AE-37A6C1B63DCC}\NumMethods\ = "4" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A93F6E13-DB63-493B-9170-BD91278A1E57}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC5AB8D5-6AFA-43B7-BDAE-06FEC4ECBE04} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFD71C6F-13FF-4E4F-BAAF-097A1E12B523}\LocalServer32\ = "\"C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\ZoneAlarmUpdateBroker.exe\"" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A90FC543-A20F-4B53-A2E4-4E7923933F8D}\AppID = "{A90FC543-A20F-4B53-A2E4-4E7923933F8D}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{332EDDAF-849B-4BF4-AB55-91A7D145A5D9}\ = "Google Update Legacy On Demand" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3WebSvc C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601B182F-F89A-4B53-B847-7987B45D5290}\NumMethods C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1A575A3D-7CEA-422B-9F46-5BBA3BD3FFFF} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE1B13CA-C8E2-46D6-B5A0-02FAD7485323} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A24699BB-64FB-4AF5-A6BA-411D45392F7C}\NumMethods\ = "6" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8515F47F-2E88-40E3-BF7C-8F6B35F9582D}\NumMethods\ = "10" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A575A3D-7CEA-422B-9F46-5BBA3BD3FFFF}\NumMethods\ = "10" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\ = "PSFactoryBuffer" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3WebMachine\ = "Google Update Broker Class Factory" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBA995AE-E466-4EF5-B49C-16C2BF29305F} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3WebSvc\ = "ZoneAlarmUpdate Update3Web" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1FADDBD4-5D41-4C31-89AE-37A6C1B63DCC}\NumMethods\ = "4" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{499D1391-3A6B-4F0F-844D-1DD9CA45ED03}\ = "IZoneAlarmUpdate3" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8C715AA-73C2-4603-BB9A-7B67492B2D6A}\ = "IAppBundle" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601B182F-F89A-4B53-B847-7987B45D5290}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC307423-DEA5-4E91-A312-A738BE74A13F}\LocalServer32\ = "\"C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\ZoneAlarmUpdateOnDemand.exe\"" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3WebSvc.1.0\CLSID\ = "{0F558182-190A-4A14-9683-30DA54A05BC5}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5C6BA10-52D1-4AB1-8A40-FF24B9705E0E}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D088BAD8-E92C-4500-BDBC-5CF5E239F40E} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FC5AB8D5-6AFA-43B7-BDAE-06FEC4ECBE04}\NumMethods C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D088BAD8-E92C-4500-BDBC-5CF5E239F40E}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D088BAD8-E92C-4500-BDBC-5CF5E239F40E}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1FADDBD4-5D41-4C31-89AE-37A6C1B63DCC}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3WebSvc.1.0 C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1FADDBD4-5D41-4C31-89AE-37A6C1B63DCC}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE1B13CA-C8E2-46D6-B5A0-02FAD7485323}\ = "ICurrentState" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1FADDBD4-5D41-4C31-89AE-37A6C1B63DCC}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBA995AE-E466-4EF5-B49C-16C2BF29305F} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62D4E3B9-85B5-4402-B456-516E9B4AC7A9}\NumMethods C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFD71C6F-13FF-4E4F-BAAF-097A1E12B523}\VersionIndependentProgID C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC5AB8D5-6AFA-43B7-BDAE-06FEC4ECBE04} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8515F47F-2E88-40E3-BF7C-8F6B35F9582D}\NumMethods C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A24699BB-64FB-4AF5-A6BA-411D45392F7C}\ = "IProcessLauncher" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A93F6E13-DB63-493B-9170-BD91278A1E57} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A86AF1BE-D06B-4569-B99A-814124EA8B20} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601B182F-F89A-4B53-B847-7987B45D5290} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86BAA25A-9A0A-4F50-BCC4-1496BBDFBF6D}\NumMethods\ = "5" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8C715AA-73C2-4603-BB9A-7B67492B2D6A}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CoCreateAsync.1.0\CLSID C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A575A3D-7CEA-422B-9F46-5BBA3BD3FFFF}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE1B13CA-C8E2-46D6-B5A0-02FAD7485323}\ = "ICurrentState" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.OnDemandCOMClassMachineFallback\CLSID C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73E7D42D-2571-466E-9394-55368FA96512}\InprocHandler32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC307423-DEA5-4E91-A312-A738BE74A13F}\Elevation\IconReference = "@C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\goopdate.dll,-1004" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\ = "CheckPoint Update Plugin" C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92785311-171B-4358-A89D-11AC094F5717}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F6129020-E3CC-4B89-B9B6-0945B68F3A8C} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A86AF1BE-D06B-4569-B99A-814124EA8B20}\NumMethods\ = "11" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{39D75D4A-0F18-484D-88B4-25153FE1DD7F}\NumMethods C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A24699BB-64FB-4AF5-A6BA-411D45392F7C}\NumMethods C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A86AF1BE-D06B-4569-B99A-814124EA8B20}\NumMethods C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8515F47F-2E88-40E3-BF7C-8F6B35F9582D}\ = "IAppVersion" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe
PID 3032 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe
PID 3032 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe
PID 3032 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe
PID 3032 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe
PID 3032 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe
PID 3032 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2104 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2104 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2104 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2104 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2104 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2104 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2104 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2132 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2132 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2132 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2132 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2132 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2132 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2132 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2132 wrote to memory of 1704 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 2132 wrote to memory of 1704 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 2132 wrote to memory of 1704 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 2132 wrote to memory of 1704 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 2132 wrote to memory of 1920 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 2132 wrote to memory of 1920 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 2132 wrote to memory of 1920 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 2132 wrote to memory of 1920 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 2132 wrote to memory of 1600 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 2132 wrote to memory of 1600 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 2132 wrote to memory of 1600 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 2132 wrote to memory of 1600 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 2380 wrote to memory of 1548 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 1548 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 1548 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 1548 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 1548 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 1548 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 1548 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2224 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2224 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2224 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2224 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2224 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2224 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 2380 wrote to memory of 2224 N/A C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 884 wrote to memory of 2652 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 884 wrote to memory of 2652 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 884 wrote to memory of 2652 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 884 wrote to memory of 2652 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 884 wrote to memory of 2652 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 884 wrote to memory of 2652 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 884 wrote to memory of 2652 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe

"C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe"

C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe" /installsource taggedmi /install "bundlename=Product&appguid={814E4157-8A6C-461B-A80F-B75931228CA1}&appname=ZoneAlarmNG&needsadmin=True&lang=en&ap=ZANG_FW_FR&usagestats=1"

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /regsvc

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /regserver

C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe

"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"

C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe

"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"

C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe

"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuOTkuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjk5LjAiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDQ3Rjc3MDYtNDc4RS00MjMyLThGRjktQzgzQTBEODBGMzBGfSIgdXNlcmlkPSJ7RTU1QkNEN0ItOUM1RC00MTdELUI4OEEtQzEzRkQwNzhEMjRGfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0ie0MwMDJERkQzLTA5NDAtNERCNi1CRDc4LUUxMUM4RTZDMEMwQX0iIGRlZHVwPSJjciI-PGh3IHBoeXNtZW1vcnk9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy45OS4wIiBsYW5nPSJlbiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNzM0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /handoff "bundlename=Product&appguid={814E4157-8A6C-461B-A80F-B75931228CA1}&appname=ZoneAlarmNG&needsadmin=True&lang=en&ap=ZANG_FW_FR&usagestats=1" /installsource taggedmi /sessionid "{047F7706-478E-4232-8FF9-C83A0D80F30F}"

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /svc

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuOTkuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjk5LjAiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDQ3Rjc3MDYtNDc4RS00MjMyLThGRjktQzgzQTBEODBGMzBGfSIgdXNlcmlkPSJ7RTU1QkNEN0ItOUM1RC00MTdELUI4OEEtQzEzRkQwNzhEMjRGfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0ie0Q2RjIwMzVBLUVBOEMtNDIzNS1BODlELTI3OUY2QjQwNzA2QX0iIGRlZHVwPSJjciI-PGh3IHBoeXNtZW1vcnk9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezgxNEU0MTU3LThBNkMtNDYxQi1BODBGLUI3NTkzMTIyOENBMX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IiIgYXA9IlpBTkdfRldfRlIiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI3MjEiIGV4dHJhY29kZTE9IjI2ODQzNTQ1OSIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjM0MDM5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 zupdate.zonealarm.com udp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp

Files

\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdate.exe

MD5 89fd362b23a35657a6336df3cfd64e7b
SHA1 654cb73032f37152a5246765f4b4d402689a0b55
SHA256 07535f001d9ff626d2b7295eacf881eee074b704a0ac6041d8ba4bc3e58d48b9
SHA512 9b9573e5863c4f837436dd5d0501faf6308efeb209294ae60944867b4ac1aa29dbaefbb7539118b963751843f04b9f789da45fce017e515949500f9da0f03fd5

C:\Program Files (x86)\GUM1F92.tmp\goopdate.dll

MD5 572b21a1706173306e8d8a3ac8007117
SHA1 ba8edaa5dbdeeb93e8fd22db3580b2e4774e8999
SHA256 f93ff69079392ebe57ab5e23076d2661145434487731c07a961d316c17ad7d34
SHA512 fe7201c898184456555c3aedd37703bf5d806418686f0ed8ab1960a914169d23d8b6254eb9960a6cca3cf78c33ee1d329b6ccb7c6035eccb0bdc42c5c7508cb9

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_en.dll

MD5 972dbfb7a1e859eb98f4e538a7eb351f
SHA1 28869e21c5ec908f69366050f844181f4c9d2637
SHA256 97d8d9549ff2a214fce74ac746ded5b58681aabb70af4a854b324e45ecc16725
SHA512 8ca155487cc68fa465a127e121f085ce911879feca9bfc425d5fa83935178617e3b5889c471af78a3527cbcdcaff774b6ef6a70a2c57a144badd617b976f7b12

memory/2380-80-0x00000000001C0000-0x00000000001C1000-memory.dmp

C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdateCore.exe

MD5 68274b512b5752d9a914e5ab1de5926f
SHA1 20cced7104ccd49128493e0263f5774248c31478
SHA256 735017aa118ef862fedfff0707d5fcbd2abc918019a0c2cdf191f5403f18e300
SHA512 3810ff02cf6914e93f8f2a8c8ab04e6ad941864e38d2f0a6fea3f6b9c08041a0620e4a768387821db31b6aa1026051fc0c2deacd739752445ceb9cd27e3a4236

C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmCrashHandler.exe

MD5 68351fedf0579636dbba97dd5e0efe80
SHA1 68473a8b1fffc7b0286891c3b19cbe0b6532e61f
SHA256 4613295b428618717cd9c11d35694aa13c0708483e4c15a620e75592ab30c5ec
SHA512 2b0b13cce89ef247b80ffbb3331881a9de9db60204b304fb96d4d76b1873447c1c541118e0fccdb54944d6b68b45ef74a78df0472978b14ee316a11bc340136d

C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmCrashHandler64.exe

MD5 a59880ae7d713204229829e14d658686
SHA1 fa8a1f5af1c3dd5d864fe47bc083d0ab2d30657e
SHA256 57679084e0bdd91f06e2bc47441f9a7f54b746898341f74a0c4d78f7e1c6c4b1
SHA512 8b11b6ca6e1b0097784fe9c60336da37291ff42f3175a849b56f68cb7d0572a647a96591969668fea9583d345cca2f77cf85e82535d137dc2376eda14ee17794

C:\Program Files (x86)\GUM1F92.tmp\ZoneAlarmUpdateComRegisterShell64.exe

MD5 4c4934b6b9275a2f5ec789a0ae4ec9ed
SHA1 2ddccb4f7e5b1e4c1a90670becbf64b94c5dbee0
SHA256 f3455a492f3f6f8319f8a35f49734c972d6cb3c4fb756e1eb2b6d6e37e36ffac
SHA512 524aef1ec4648013f5a25e3486a493d29d37dbca1f73613fe406c19da68cdbe10bac1735a5cafc388dac22e915c3a627775530575583b54ed42410c63163e430

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ar.dll

MD5 7415d9f09649006e0c1555313e2c3ba9
SHA1 3283f49898a6b4c5a7b39343b5843ebc4cf89b4f
SHA256 277e719233da022d585d1c1888140f02cc3a015f467ce8643658cb9e93d801af
SHA512 e4ac00955561c8dd7ecbdf6c701aea990baeb0fb7fd13328f355705529cabd7f5c661ecc746ae0c750e282c0e8255a25f587b252d6418110758f8ebf4d1d1536

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_bn.dll

MD5 af71383de3a520b7ce0585a8bf64368f
SHA1 0761a1e14f19385f8524b71be3882d357f070a86
SHA256 a71c82e6bb69da2231566cf012cba276fa0a3644d7cfc732d188ffb420a209ef
SHA512 832fed14a1e549e388e7094d5ad9f7cc54b2085c66cc2f7a5a063a01631520693179c244d4e02042eee2e22d082706d96868cb66ab7e4bccdba282a6d8be4d01

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_cs.dll

MD5 4b8f45b7e1a39baccc048e4946926f88
SHA1 7fb7e577e6181ceaecbc3f7d0b8d125ad6ad3a81
SHA256 917e26b3a9fafce6d0ae133a1938f5845c4d8273629cfeefb50d373533f51a2a
SHA512 05eed9d216e475c655ac07dfaa03aaeae2d815934b7ed478835a7038ba87e5e2635d954546e9dd3456d74fa0f5ac8a715ad858b2e2473bf6f3d3185ff105b545

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_da.dll

MD5 bf8ad2db1e4cbc938dd903c799792375
SHA1 4bb18c34b7cdc52ed7a3e93e83f4d08150f29664
SHA256 7b5e8c0cb9043b3f1eaef9b64b695da2c6c0bb679027ce7867fa3eba01b37b5c
SHA512 2ca860f2cb4f8c841f36a03043671b86efccaa7a68283213c5f4881ea017dbe7a80ef3c4e25a21d66198692353327775e6d2bfb2dc9a72ca89011761e44ae318

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_el.dll

MD5 aff8107d364418202f6a21b2b03cf9f6
SHA1 89101bcbdfcccdc6608ad3046b1d17da56c01c0e
SHA256 20749fd36930d8c58396409659670b005aa7cb270a610543ed151fc8501f7071
SHA512 e2392d732982d704c1d2fa894fd3c640e8be46731ff8ed140d0a71be567d1b866411afc5da296ef8087c2186d0d3f5f239bea571b152b72642bbb5215911c1a1

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_en-GB.dll

MD5 eb90f269714ff2571c5bdcadd6505ce5
SHA1 65bf50f255ce7e3c49067b702c5ecdb4e4aa774f
SHA256 5f3c880f47811825aee9bab9cafc292d10d9c801a7b2495a823e62c15b2929e6
SHA512 05a058bd7680cc50f3833b2e19b8c82ace2bad5c4da62cde8dd39937dd8f0a1b56481f03747d8628821922ba1e4fe9172416a60ec34d5ca64c8655452593cd0a

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_es.dll

MD5 15a860e025f056cdce88fa27d8c353fe
SHA1 ef17565ac1617b31f15264c689741df998367583
SHA256 1fdd0b09a513c1d47c384887677efb50d2632a561249743305f1e8b1d5c56363
SHA512 52949b64bd225931b591e424f6f29545f73ff6a4a757529e0998fea6ee1b772cac3ca33aeb143be5edc5dd51cb7aac34ffe4c5fc769cbc63a4ccacada56e4ec8

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_et.dll

MD5 5b0b1b683839e8c406d1ef3665ae0536
SHA1 f8614acc851e1502fa7a066db7246c0f44267788
SHA256 4f74fb55665673bf7d3da440f1f30ce1f78c97988cee030a8bb79b137a3b7cf6
SHA512 857cc9301dd00d6321a03cd910673329ccfc267641c280a37798c5a2cf0a930a9f5dca4555989243f46186753d541f60f9ecd533da144320877548ed355d8479

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_fi.dll

MD5 236de2af2c410c1a02a7fbd7b2316a1b
SHA1 54ff9d2b24ae48c8f9fcb279b54054734ccc6618
SHA256 006eb61aa3e9ea055b2c7d21374666fffd57bbaa262b65f26523d125d6448d37
SHA512 8e6f5e44cb04e84c413f064f30837db3b24f84a33325a937387408ab7d621a6cc884e6df9b434056df490ae998d45d79061fb79001138adf95273a941916114e

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_fil.dll

MD5 e97c30923109dc4f1e75ed9be51ff97d
SHA1 ed5326c45325f94bdcc485735a1ce7d17b6976de
SHA256 cad333c1800e6d5a046034e64315de2778287fcd192b3f30d39609173fe5d4f1
SHA512 bbd877d2139f32087d3512ecec3b3d16e44b9d2acfe3c91c41c20406075ae1156409df30f4753bfff4e61241067cde2c2aac92ea52254fe4988bee2dafb9e8a0

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_fr.dll

MD5 79cebac71c94ad83e4499bc217d72bdc
SHA1 84f3e0985062c053a5f977264783af02927b13d5
SHA256 87452cb3bec2fa99fe92d713908153c62c9019bb11df1b6e257a8fad946076b7
SHA512 0ec22277b7cd746b65cb6509297efced79cb14b6c12494322f8734b82632f0c7786d6b3abf58416bb88d2032fd9ede6ae548f869f5f49d79ad880bfa81225c0a

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_gu.dll

MD5 800144063550fb7a04eb285c3e352121
SHA1 05d9de686bf12de71f963f93b8e4d052bd20fe2b
SHA256 0e68bc976c540c659d31f4bd8c6a056891921d50642283dbe166bde69b75f25b
SHA512 c339fe2a31d985c6472ff14f65dc0b4f1f4994a9cc6b6742415a4f12ca250c3c5508595b52afb1795acd619d05aa4dd724401bfa6bc1e49f3d0700d71527025e

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_hu.dll

MD5 ba003c4f7523132aac67a14becfd6ee5
SHA1 dcd59eed9eb2e117494bc78c16b6c3da2f4c6cf5
SHA256 1ad6bc6a61e71733b161a479d0dfd7c8f6b53ed4cef98f9cbee45c8f224a34d1
SHA512 480f014d753cbb71b92e46d5f7c497bcc9b60eab853f13cccb723188af4fadd1bc4d77d3d86fb7a4be6ed7e8219f53c3f0e3b1fdfae1ac504fc986fb76ada468

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_is.dll

MD5 75d1f5388885e41c0a12644ae388ff69
SHA1 e318acc41d1b079a3446a0038df34032709d27e7
SHA256 b10707a5113d4849c409d3b59a1064c6399109c101405343c09dca1ee986ca6b
SHA512 bfe661dbc8aeb4020080fb9756a09b2adf0c26ce02bb7c497b61d83714e30ef0f1a3938a93686181b0b8cf66cf229b8652870b3f859fde3fba7301ae82f18d2e

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_it.dll

MD5 73f622413790002ebf45254d1e5a1ea1
SHA1 53b55408dc9ed6eb01d310c8658ff57c971e4e45
SHA256 bb83a0d819210f548bbe99435fe9c1a8bc50788df6781cda2f6ca22d8c8cc05d
SHA512 f4ee01e70a1d8788367363e6cc572d4fcb12b85068668fefb41ff37e80c29e317157c4525244c4272c3fb66297d06b06a10a7437cb2d1b5a56bb204de67bb16d

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ja.dll

MD5 2ff56ae3ad1f85f383aa42a086194909
SHA1 974b9a041b8675af0b236d3bad1840c4291f296a
SHA256 3f77466a5c975d435320e90e7a25e14c84f0dbd1ad4e4ce03525d6d3d10f44f8
SHA512 bd72469fe8862f88b2d3ce628ce54e44af3d3cc5e043121efce4c2fbe73e984b3b7938d4877c2d4e29378db9d12940ca65425909fe8f3e34024fd867849b3996

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_kn.dll

MD5 b566ee792ffc0ffaac2e072db0f9d3d3
SHA1 35d214bb5e17fd946831d39acb00156f32d7e8d6
SHA256 83df16287dcdd5812a3f9adf41003b768df9ca6001d77331314ccde3c8525c8a
SHA512 7c941011b1ac64c63c28bb15d1132e2b611698b8d701a1e0823a8120a35c713709f2d44e35ff884688b13d9906b1b2c3c324902c97d72caaa164acd23bb51453

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_lt.dll

MD5 0d6edfe2f40d2d3cc88f0ce66290440e
SHA1 8885cfcd302a44a6a8fbf13a8b767f0efca3a3cf
SHA256 7d6dfc09351fb758e1f74a8c2fa437235ae9d9c25956d91b3c1a74e3c7ff6659
SHA512 995ef23434acc805452c1e501d512e911f1b24ba7ff68b16ba4bece69be8dec6127f051796a01829935a70054b1edc813ef85f284cdf2be9af63e0f813ccb9c3

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ko.dll

MD5 5292300ddbecc2720487cae40114b8de
SHA1 49f2ae760099cac4ab7ca2bc28f791e85d75448e
SHA256 0ecce413a9c3d5eded88eabf59de164e1feaf830b55377d02f1425fb7dda88e3
SHA512 337919647d8a4f34067bea95ac3f393ed2ed0dce1a5ec4c54187ae989d0f2c6f4f74a409ca0c41fbf795ec2fdca4204e6a88cf75281b61a8674cec84351f96b3

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_iw.dll

MD5 2d8fe0fe40749487d3f343469cb4ed4a
SHA1 68151cc669a99f74846c1743e0803ae91409921f
SHA256 5108741ce1fe3ffc1fa866ac73bbb13726c8ad2d9f5d387c69b1a92ca234a7a2
SHA512 b578263113f5edfc26fbf893bb0d832f60235af3be361e20fbe64fe6ffc51cc3120e92fb75b348da1545ec0e449b6c2be004852e2a63024fee6c3dfc1b4dd4eb

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ml.dll

MD5 9617b0959ffa41eecac6ed081210b524
SHA1 3e9231477dd99b23084f9a6bdb14874b4c966eb1
SHA256 af9845f8903766cd2ed8219f250546c481ff942e567e13fb58590ad64cf6e34c
SHA512 29b7a8474bfcd89aae3613c215f6e603d8450484529d561a2ddc2b74b4e778cdcbd1108685430365ac2c2f0fb41f8171174387fa8f8ec970136c5f044e68bf9a

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ms.dll

MD5 68f44901f067d7695b4faec7ccb378d8
SHA1 8629111bdbc9c6892e66fbc519a0817afccd6452
SHA256 a736aac59f85aef8d6d3d6468bbebb7699161f24dd22d10022ada8c2fa0099a1
SHA512 7f1b80835d4893ad14303ea77946aa57c51a0f126e68f3dd6d4d40a656790d50dafb74535b10a1faa6e32709be7bed6eb4e21dd998ee86e15464dcb6ef4769fc

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_no.dll

MD5 09364c51c16e949e602af1acd880a00f
SHA1 a35435756a45a7cbf1badf7fb05aed51be35650c
SHA256 bf369881d57f224a96549fb54ee0b2cfd764b89cb9e0019ca00d0d19056c03db
SHA512 2b8b0df0a3f18d335e7addfc7d3f92041e5376600b30d808be7c0592c55e22478660afc41477fcc0c4d7dbad1c826c3feaa675204053743a6eca8b46115bbe2e

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_nl.dll

MD5 e0b463b5c0667fe3f160ca378a18a1d2
SHA1 f20889edcce1392b8710dd50bc78671eb0c09cc5
SHA256 de840b2acc718ec4ccbb4a288e8168b12641374c90dacf5f83919c6c4c03a7d8
SHA512 6308546fe6ebb9684e9615d81e674a89758142895b9d59ee26a262cdef193d078107bd68b5efe90382b48fa1358e4f79c0c682830051940b7f81dad1feeb9015

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_pt-BR.dll

MD5 066b22c0bd1c12a5bd6828e7847f7900
SHA1 a0a86aad7bc80858a87cbd51dc84512e0f5e3b25
SHA256 c8198ac41c933500cac9b945bfa2398d1dcea7811a3974ee36f70c1542b070e0
SHA512 99f41733e181116a026dd31dc28903c5cd4b82b51cc59d528d342754fe3651f39aafa0756474e1f15c54b5b7e1ac1d8985204f34e07eafb91f94ca2bd6977d69

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_pl.dll

MD5 da1b1f3449ac9de41e9175110c62ade2
SHA1 4a7345603fa10bbfc4ba1c63e88c66441e36fed0
SHA256 99fd3253f2024ba12450a6d29b0b9ca47ef56ea6d640b5d2f09da37dd82d91d5
SHA512 1a96a6355d8db434ee668bf9e85ee8cfb7c676cc548621e0c9ee2180deee8caf44fc9c0a3b253c753346cc215453a7e557927ad448ae06aba76ba22c264d5d81

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_pt-PT.dll

MD5 202558121ccbfe689603760da782925a
SHA1 4762305c924b7289c786f888d79ce56087f2bb63
SHA256 05bb2c7b93011ab3ba9449104ca48393d5c28d2d04dbed718508b91185e085be
SHA512 e4dc01644347448b9d8571459e82850d6b4525f069be92002142ff155671b2ea11c789ebd889e05398d1a9154ccba344d5f0c12e183f818160d46ea006866115

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ru.dll

MD5 a89c2184c391c850339da6f25ea72f50
SHA1 a47a35a5260c228d3ce3df3f279240bb1f667100
SHA256 8226f1e1f60eac1afc3df1662d9396bcc326a38ea1c770afc8a8dd9c3e64f77b
SHA512 83b9c017ef74b49e2af6553e3a6029cb4a17ca6dbb4bdeb07da8059d95ac855be2ab25838b17046f9aeead1175172b7fd15b2e15449301220cda2a717285ae19

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_sk.dll

MD5 3b63a7a242dea58df351032f35060609
SHA1 41fd5437c44b9f761ea6743bf1fd3542eddc7a21
SHA256 69ee64d083f634aadef8dc1d71df808a945b8bd1c5abcb239fa727c77f5b2123
SHA512 bb5f6464bdcd122981bd1b1b93780a9c968590618fe6a4b1a5aa8d48519edca380a156bf66f4ca5499fecbd28bf5f5a10b30fbb41980f9c9700a9de9240793d4

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_sl.dll

MD5 7d5e325576066992b32aa1040b1aa636
SHA1 e66fec8b63abc4ad17a73df55eab50244c71e939
SHA256 bfcfde4619a4508b250eb18903ddf7a803b3f1517316cd87901ec65ef0eada00
SHA512 3dc578d1e883e4a7fe62338cc61d71482e127025a5875b02893e127faea84f390f86aeedd1678e9f7811d430b9989228afd33456ea1a1001fdcd8201a49b286b

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_sr.dll

MD5 99f3846a87faf61723e4cf83b2042751
SHA1 65e04c48ffa53ad9880375b56908055176b7216c
SHA256 117c9b2f4a3e3b0cde902597672e49914f8e51bbc446c847f403003a1b59e0a2
SHA512 851654f07562c21211362fb57e6d48cf0257ea1a05a6880691e2b52cc55b6931a82888d67651e39d1a365b5398d61f4bb5939b43b024e7ca34b799e2abdcd18c

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_sv.dll

MD5 46b6950aeff8b442295ef7769f3b914a
SHA1 55a12cfd9bac7a72af96ff20ce38e3927df92237
SHA256 53910b87a82e5b10aa613bfaac7d598c7f860d1f0d623ca9871fee5351c52a3f
SHA512 40996fdf055003bb7b1b6839329dcb8843ffb96027168d618bf0425a7e5c70729bd8b65eecd3b41485833099aeb9941cb692d567d250b7cd244b1924a0382fc7

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_sw.dll

MD5 4fc95fd2175940f957f92cf58832b1fb
SHA1 4bde7901766868c553316108f4b17fdbb98b3850
SHA256 9002b369b2ef0d9816606b0147e182275a8e80739258a217544d8ff06d8ac8bb
SHA512 5e2938e1254cc8ebdd17666305f62566c5b02c70db4392526a50976b64092e490b50b72d524f1266b27dda3d671ebcf7f2f8f0bdd4ff2136f584b1b5d4a4a389

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ro.dll

MD5 e8414657ab77cd8a8918e80c30ed8dec
SHA1 d00225002c138665e10927f72689e35f23b54ca6
SHA256 d4a698c4f3e66051fb0712d4826f25d21df81e2d4fdd546c617211c1dfe4264b
SHA512 251f216e6d2f9642f936db8c39930df0253b5c6a533fcfab98b45e178d412d38f49dd9ccd654c8e96cef1aee7a581a2787ebda763a571d31c0007472eed7094f

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ta.dll

MD5 e59d868f96c6613fb7aedf9aee5e1b40
SHA1 64f015ccb8ee522570af421dfd32a8487e8f2f70
SHA256 7ef30b858cbc4aab5512e03659658b80b0401446010b4435e8cbcc7650c2769a
SHA512 f45b7a17e30a36093c639ba9f6c8cad87425b152ea22e2ced1bdcc4711a04f62cf2f92cb618bb786e228479de6eec8fba141e80a221d50e50ec00fb1b388bf59

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_mr.dll

MD5 484eac1b49dd74b6d4c89c61518baae9
SHA1 a76015a7a8a783ada2d31a7e65f896e769463cde
SHA256 7eac0b6a5af98cd34a8f615d6defbf5ea2ad631919e5c95523686757e87f2113
SHA512 76c0ecd138402e0a1288c4ce8eb9b94dbc2f208adf1625d48bbf83feb8b0f3716e5b037a733f7e40dce7e6f0c73009b22489128b60a832163f36427bc8f96f9c

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_lv.dll

MD5 5f2d6b0aa3fc70637ea0d86863f4e9d3
SHA1 66719518fc6204fa5b3cd5e881c33b385157a3a3
SHA256 fc4bb495fd17d999924ccf6b66a6cb010d27e4f2a7e5a63e152be7dead3bdf19
SHA512 8d6ddc7770b4b81b96f5be5b15e6b6079a00635298b268d1082a2a8af1385b8bf86783c8fe1b3369ee8002eab1049fb564534e8c76a22a5d74162ac6ca484e59

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_id.dll

MD5 881f95414c50494ae62f2f8e0709204c
SHA1 ca987f51e990a2854bd561b4a20a002beb40caa2
SHA256 f44a7849d2fe42b07fbe0deb67e4112527452e31a0e1b09fa5eaad3d637d44a2
SHA512 800c30e31659aa864351c1df40f65faf7f9d55cf562f262b1b7255974cbe95d9228a2e044211d6e5bc82f23936b2a5121ea7e2a13c0a415511bfd343deb75719

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_hr.dll

MD5 f10e945b4a0caa27b6c93bbe774a9a4f
SHA1 32e2572d329821a6b49213b99afaa84050de6fe5
SHA256 7461b8df4b23f27cdb8bf999102505be897ff8c18f781f34c1f7f73dbeafcce4
SHA512 919c8fb837fe44f8c6b8828708bca01a9ba77ab466d35350e1f113af056c6b6ad7a882469ba78fd623ede39c0811150cd81cec9f2ebf0b18acb86abbe0346952

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_hi.dll

MD5 673e16edc3eb0756fcb2bad19858fa8c
SHA1 125b38a399d677744fe6f9add31540c9583d6e64
SHA256 aaf237ab2ea80d3bc3628e9b9fec255ad6417b4f5fcf5351f0dc150998d46b94
SHA512 5e58ab604cca741865f65c2d371da14f43f9ed66ada19c38f97ea9db850215568bb81404dad93c7ca3482efa41e04a3e72fae5356071c09df05d1ac6abe84d9d

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_fa.dll

MD5 3a6e68fe872b293df90696996e76b38f
SHA1 a69b0192f3e768f2f11507e02c0cdf132e1aaab8
SHA256 41e166029b80e8c538f36bfabb7bac40bed848854dfd13e0bf8e8979a3511740
SHA512 3679c836ae3d9501d7f88fc107e09595c6a403bf8a4b1cd251cb443bddb0e84bf6660edc39fce0ec82c05a62e95299987b854ba91373b7b373127a4615f51550

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_es-419.dll

MD5 f82e1dfb6859590345a3743b8593dc87
SHA1 8050281431d32804231b3f9b03187d21225ae8ba
SHA256 0b43e4a4138761c0b3c9bba465d6bd137987d134d21bb135037cf2456c98fddb
SHA512 b43c018f8250b339b02bff466e7fa9a1cc547b0b48efdbd67100eaca507220f6189cbd9c7c753a97a7b0564fbb9815d91f588421682782f1463b6aba150df0d4

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_de.dll

MD5 08a0d1a5117893ae591b9106effe5247
SHA1 0e4a97ad9b157df75d9d954485acef4c1a3531e4
SHA256 5627427ccdadb0cbec2ac81347881a97d65bf8806ae45fa2d8d08d01e0c065a1
SHA512 164b053d225645dbdf0362a78b1850778363d534d2b19a75a0bbfcd3545ef05b87e6351fe3423103d8cf5199204b079760a66d872aee90b1da093a0029bed048

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ca.dll

MD5 18b42252e2a7a5c50e22b351d1f9d3b7
SHA1 20c19214e0476290f3ec3396609992b735ffb118
SHA256 dcea9438bd4a16620c28d25169a2b023cfb0ce7ce2b8d713839e5001038e4552
SHA512 2903e9b85717f941f2ac9d49120069973ae6025de6d8a00d2a6da53950ef1fcc0d5b3f4c7ecf599451cce11062aff36c6f069dea911f42f0800148f899be97d7

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_bg.dll

MD5 8eac2099a1e21bae948d6e149fbdabaf
SHA1 5516edeac6765bd5f30484611782764874b64b08
SHA256 a1062fcaf046c3ad0a13001045acc71dcde10f4802e6fa3caabb1b0f6d821555
SHA512 17e6d1f7c7c79957e8083304249f6f1810ecb5afda5eacceddfe954f5629ca36f7371f58f997cb9924c973b7e58c9d0b44ec803a81bb33f4d07acbc0547ffd3a

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_am.dll

MD5 86a76c0d9a83f9bebe41b625451130a6
SHA1 462d8d69e0849e8060cd02e5c23f76a477997136
SHA256 60683f854f8ddb182c09106b2e12973f738b16209faa11e749a64be458e7c03f
SHA512 ab73e8ffcde809ece00991d477659c994ffeb518688cd0c531a328f3893af9b671606aca6239927b95aaf4ae8284007ea1229a0f2381ae32f1022c237c9ff923

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_te.dll

MD5 2bd1cf9d36587a808c45de619265b207
SHA1 cdeda1c3e928795a6efbfd27b3e110d3296eab21
SHA256 ff308027487ad0c875b09bb4b3d7d18a93804ddc886b2ef76584e9ab17f9c00c
SHA512 6c35eb41e0254667024ddb2d0625e603deac6fc446f357d7ee55775c044987cb034ce9dfe29147478d21718f4670cf80e8c191d30b770d82e7340d48e2461948

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_th.dll

MD5 1b0e309b6d856586c7ab1512b416396e
SHA1 fd8b1e01aec80244aa301dc27ef49f47530b3f51
SHA256 19bb3c0e142b1d841cc8fd86062502f91201f4fd2aedc29d0896558bee454d8c
SHA512 fb3197899bc77384646ebfc2f6cec4074a1391bbbc64e6a65f931514d8f1ec6334e5f64426e2004a0398a34e1603957eb183fc4b1c8cafcb979878463022e11a

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_tr.dll

MD5 a07aa91448fc5dab182551080df5739c
SHA1 e413b60ecb5ac8424bad0aec45313081f0de6ed3
SHA256 64aad643d5cec54e9e4dd16fd8bf10bda663058d46ddafc28251e60bb5bee3ac
SHA512 062d44b7893a6f56c4d021e2dc4e1dea6fd64d94b8223ba4c7b19596a819c22ea2d90c289b254447ba0febe168c2c8a6a4431ca8f2ec344afbb74404ce11e559

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_uk.dll

MD5 9e5bed7cfd75f31c673a7667429afd0c
SHA1 c08f3146849c381b0c6fadea5e32517e7fc8d1fc
SHA256 f2606857c9deee910ee531294cf718bbab1c68c3c5936c58a47c5e821f7cc818
SHA512 1b47666e537e4a1adcbc733721615f938f291b522bc7a486e4d4080073a9b325162be535a8ff7074a7ca7a11f7793e8894158cb95e13840250c42931d6283e7e

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_ur.dll

MD5 6cfec1ef3d0858cbe82f6216e4ebbe34
SHA1 ce902ab62bf916d73eacab6f124f0f68a123d83e
SHA256 651eac1234c920085234b905c18561a004093f6541259665aa7b60c98770a5a7
SHA512 8fd34677e6a6d25a39c9b6e6672ce3375b30b6325adc4411e57ecc1844961ef7818041a8af1039ca33044ef353754b9eab812696b75e0250f7e87c44c3333d0a

C:\Program Files (x86)\GUM1F92.tmp\goopdateres_vi.dll

MD5 429079c567a45934ba0f96f0fa8adcf7
SHA1 e255a17e31b9de9109aae80682d9aa1e08e1225c
SHA256 a5482b5cd705c7c21cf909271a21ca1d14ad5776eed3cde6cc172c1325fdec8b
SHA512 051f8842d8b98bac43143960c09aa6ee6e348243471db7689178e77b56eb7bb4a5c17dd1989a5723f4059c31ba85ac132f9d642cfcaa8dc7fdf22aad89f45e73

C:\Users\Admin\AppData\Local\Temp\Cab318C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Windows\Temp\Tar32A9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2380-667-0x00000000001C0000-0x00000000001C1000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:19

Platform

win11-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZoneAlarmUpdate.exe C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZoneAlarmUpdate.exe\DisableExceptionChainValidation = "0" C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_fr.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_es-419.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_pt-PT.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_da.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_vi.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_hu.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_lt.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateHelper.msi C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_kn.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File opened for modification C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_et.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_te.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_lt.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File opened for modification C:\Program Files (x86)\GUT5B8E.tmp C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdateWebPlugin.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_th.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_zh-TW.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_es-419.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_de.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_el.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\psuser.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_es.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ja.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_lv.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateSetup.exe C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_pt-BR.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_iw.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_bn.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_hr.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ta.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_fa.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\npZoneAlarmUpdate3.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdate.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_bg.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_pl.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\psmachine.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_da.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ko.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_nl.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateBroker.exe C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\psmachine_64.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ro.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_pt-PT.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ar.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_sk.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_sv.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_gu.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ro.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_sw.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ja.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_uk.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateWebPlugin.exe C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_el.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_fa.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_lv.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\psuser_64.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ru.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_fr.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_hu.dll C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_mr.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3}\CLSID = "{D5B80838-9D7E-4A94-8115-17A76F676AD3}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\AppPath = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0" C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\Policy = "3" C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8} C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\AppName = "ZoneAlarmUpdateBroker.exe" C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\AppPath = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0" C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\Policy = "3" C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3}\Policy = "3" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A} C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\AppName = "ZoneAlarmUpdateWebPlugin.exe" C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3WebSvc.1.0\CLSID C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92785311-171B-4358-A89D-11AC094F5717}\NumMethods\ = "41" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A575A3D-7CEA-422B-9F46-5BBA3BD3FFFF}\ = "ICoCreateAsyncStatus" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07567CD2-4EE7-4040-9226-D4B83474EC0F}\VersionIndependentProgID\ = "CheckPointUpdate.CredentialDialogMachine" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A575A3D-7CEA-422B-9F46-5BBA3BD3FFFF} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8C715AA-73C2-4603-BB9A-7B67492B2D6A}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPoint.OneClickCtrl.9\CLSID\ = "{F14E3171-3473-43E0-A7A6-0EBB438C005A}" C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F558182-190A-4A14-9683-30DA54A05BC5}\ProgID\ = "CheckPointUpdate.Update3WebSvc.1.0" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73E7D42D-2571-466E-9394-55368FA96512} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3WebMachine.1.0\CLSID\ = "{DB9A0177-9BBE-4B9B-A615-E698F7C73D50}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601B182F-F89A-4B53-B847-7987B45D5290}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3COMClassService\CLSID C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73E7D42D-2571-466E-9394-55368FA96512}\InprocHandler32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE1B13CA-C8E2-46D6-B5A0-02FAD7485323}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine.dll" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A86AF1BE-D06B-4569-B99A-814124EA8B20} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CredentialDialogMachine.1.0 C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7A50D4F-9FCE-48D7-B93F-A45944226ECF}\ = "IBrowserHttpRequest2" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD29A878-82EC-4F08-97D7-8C7C691892F0}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F558182-190A-4A14-9683-30DA54A05BC5} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39D75D4A-0F18-484D-88B4-25153FE1DD7F} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F6129020-E3CC-4B89-B9B6-0945B68F3A8C}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBA995AE-E466-4EF5-B49C-16C2BF29305F}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1557BFC-F8CE-4EA3-9130-9F461F91379C} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.OnDemandCOMClassMachine\CLSID\ = "{DFD71C6F-13FF-4E4F-BAAF-097A1E12B523}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A93F6E13-DB63-493B-9170-BD91278A1E57}\ = "IZoneAlarmUpdate3Web" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3\CLSID = "{3A55D03B-5313-409B-A2DB-3677800A7AD8}" C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{332EDDAF-849B-4BF4-AB55-91A7D145A5D9}\ServiceParameters = "/comsvc" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CD5C033-8E26-4B96-A6FB-393DCCF30294}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{499D1391-3A6B-4F0F-844D-1DD9CA45ED03}\ = "IZoneAlarmUpdate3" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3WebMachine\ = "Google Update Broker Class Factory" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8C715AA-73C2-4603-BB9A-7B67492B2D6A}\NumMethods C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73E7D42D-2571-466E-9394-55368FA96512}\InprocHandler32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPoint.OneClickProcessLauncherMachine\ = "CheckPoint.OneClickProcessLauncher" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3065C225-61D8-4BD8-8341-BB49BB3A5257} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D088BAD8-E92C-4500-BDBC-5CF5E239F40E}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CD5C033-8E26-4B96-A6FB-393DCCF30294}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39D75D4A-0F18-484D-88B4-25153FE1DD7F}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3540206-D91F-4B5D-B3EF-7526CB201CF1}\VersionIndependentProgID\ = "CheckPointUpdate.Update3WebMachineFallback" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92785311-171B-4358-A89D-11AC094F5717}\ = "IApp" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1FADDBD4-5D41-4C31-89AE-37A6C1B63DCC}\NumMethods C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CD5C033-8E26-4B96-A6FB-393DCCF30294} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.OnDemandCOMClassMachine\CurVer C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5C6BA10-52D1-4AB1-8A40-FF24B9705E0E}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601B182F-F89A-4B53-B847-7987B45D5290} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD29A878-82EC-4F08-97D7-8C7C691892F0} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8C715AA-73C2-4603-BB9A-7B67492B2D6A}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD29A878-82EC-4F08-97D7-8C7C691892F0}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1FADDBD4-5D41-4C31-89AE-37A6C1B63DCC}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DF65338-FEC8-4270-A02A-B06B1DE3AC09}\NumMethods\ = "9" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ZoneAlarmUpdate.exe\AppID = "{A90FC543-A20F-4B53-A2E4-4E7923933F8D}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFD71C6F-13FF-4E4F-BAAF-097A1E12B523}\Elevation C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC5AB8D5-6AFA-43B7-BDAE-06FEC4ECBE04}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B930D828-1FD1-4255-8336-1CDA396C671D}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07567CD2-4EE7-4040-9226-D4B83474EC0F}\LocalServer32 C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{499D1391-3A6B-4F0F-844D-1DD9CA45ED03}\NumMethods\ = "10" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC307423-DEA5-4E91-A312-A738BE74A13F}\VersionIndependentProgID\ = "CheckPointUpdate.OnDemandCOMClassMachineFallback" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\ = "PSFactoryBuffer" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86BAA25A-9A0A-4F50-BCC4-1496BBDFBF6D}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8515F47F-2E88-40E3-BF7C-8F6B35F9582D}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3180 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe
PID 3180 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe
PID 3180 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe
PID 1336 wrote to memory of 964 N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1336 wrote to memory of 964 N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1336 wrote to memory of 964 N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1336 wrote to memory of 1648 N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1336 wrote to memory of 1648 N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1336 wrote to memory of 1648 N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1648 wrote to memory of 4352 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1648 wrote to memory of 4352 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1648 wrote to memory of 3888 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1648 wrote to memory of 3888 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1648 wrote to memory of 1020 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1648 wrote to memory of 1020 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1336 wrote to memory of 4976 N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1336 wrote to memory of 4976 N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1336 wrote to memory of 4976 N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1336 wrote to memory of 4696 N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1336 wrote to memory of 4696 N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1336 wrote to memory of 4696 N/A C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4288 wrote to memory of 916 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4288 wrote to memory of 916 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 4288 wrote to memory of 916 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe

"C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe"

C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe" /installsource taggedmi /install "bundlename=Product&appguid={814E4157-8A6C-461B-A80F-B75931228CA1}&appname=ZoneAlarmNG&needsadmin=True&lang=en&ap=ZANG_FW_FR&usagestats=1"

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /regsvc

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /regserver

C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe

"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"

C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe

"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"

C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe

"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuOTkuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjk5LjAiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RkRBMEQzRkEtNjJFRC00QjA1LTlBQkYtRjY1MTczMjY5OTNCfSIgdXNlcmlkPSJ7MEVGMDk3N0YtOUI2RS00NDcxLUE2ODgtOTQzNDRCRjVGNTVDfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0iezc3QzI4RUI1LTE3NjEtNDhGQy1CMTY4LTFCMEZEMTZEQjNERH0iIGRlZHVwPSJjciI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjk5LjAiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI1NjIiLz48L2FwcD48L3JlcXVlc3Q-

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /handoff "bundlename=Product&appguid={814E4157-8A6C-461B-A80F-B75931228CA1}&appname=ZoneAlarmNG&needsadmin=True&lang=en&ap=ZANG_FW_FR&usagestats=1" /installsource taggedmi /sessionid "{FDA0D3FA-62ED-4B05-9ABF-F6517326993B}"

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /svc

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuOTkuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjk5LjAiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RkRBMEQzRkEtNjJFRC00QjA1LTlBQkYtRjY1MTczMjY5OTNCfSIgdXNlcmlkPSJ7MEVGMDk3N0YtOUI2RS00NDcxLUE2ODgtOTQzNDRCRjVGNTVDfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0iezhDRjdGMTc1LTgwMUQtNDM2MS04MUJFLTczRUM4RjA3QzlDOH0iIGRlZHVwPSJjciI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7ODE0RTQxNTctOEE2Qy00NjFCLUE4MEYtQjc1OTMxMjI4Q0ExfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iIiBhcD0iWkFOR19GV19GUiIgbGFuZz0iZW4iIGJyYW5kPSIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAxMjg2NiIgZXh0cmFjb2RlMT0iMjY4NDM1NDU5IiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMTE3ODU5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
US 8.8.8.8:53 zupdate.zonealarm.com udp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp

Files

C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdate.exe

MD5 89fd362b23a35657a6336df3cfd64e7b
SHA1 654cb73032f37152a5246765f4b4d402689a0b55
SHA256 07535f001d9ff626d2b7295eacf881eee074b704a0ac6041d8ba4bc3e58d48b9
SHA512 9b9573e5863c4f837436dd5d0501faf6308efeb209294ae60944867b4ac1aa29dbaefbb7539118b963751843f04b9f789da45fce017e515949500f9da0f03fd5

C:\Program Files (x86)\GUM5B8D.tmp\goopdate.dll

MD5 572b21a1706173306e8d8a3ac8007117
SHA1 ba8edaa5dbdeeb93e8fd22db3580b2e4774e8999
SHA256 f93ff69079392ebe57ab5e23076d2661145434487731c07a961d316c17ad7d34
SHA512 fe7201c898184456555c3aedd37703bf5d806418686f0ed8ab1960a914169d23d8b6254eb9960a6cca3cf78c33ee1d329b6ccb7c6035eccb0bdc42c5c7508cb9

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_en.dll

MD5 972dbfb7a1e859eb98f4e538a7eb351f
SHA1 28869e21c5ec908f69366050f844181f4c9d2637
SHA256 97d8d9549ff2a214fce74ac746ded5b58681aabb70af4a854b324e45ecc16725
SHA512 8ca155487cc68fa465a127e121f085ce911879feca9bfc425d5fa83935178617e3b5889c471af78a3527cbcdcaff774b6ef6a70a2c57a144badd617b976f7b12

C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdateCore.exe

MD5 68274b512b5752d9a914e5ab1de5926f
SHA1 20cced7104ccd49128493e0263f5774248c31478
SHA256 735017aa118ef862fedfff0707d5fcbd2abc918019a0c2cdf191f5403f18e300
SHA512 3810ff02cf6914e93f8f2a8c8ab04e6ad941864e38d2f0a6fea3f6b9c08041a0620e4a768387821db31b6aa1026051fc0c2deacd739752445ceb9cd27e3a4236

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_es.dll

MD5 15a860e025f056cdce88fa27d8c353fe
SHA1 ef17565ac1617b31f15264c689741df998367583
SHA256 1fdd0b09a513c1d47c384887677efb50d2632a561249743305f1e8b1d5c56363
SHA512 52949b64bd225931b591e424f6f29545f73ff6a4a757529e0998fea6ee1b772cac3ca33aeb143be5edc5dd51cb7aac34ffe4c5fc769cbc63a4ccacada56e4ec8

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_et.dll

MD5 5b0b1b683839e8c406d1ef3665ae0536
SHA1 f8614acc851e1502fa7a066db7246c0f44267788
SHA256 4f74fb55665673bf7d3da440f1f30ce1f78c97988cee030a8bb79b137a3b7cf6
SHA512 857cc9301dd00d6321a03cd910673329ccfc267641c280a37798c5a2cf0a930a9f5dca4555989243f46186753d541f60f9ecd533da144320877548ed355d8479

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_lv.dll

MD5 5f2d6b0aa3fc70637ea0d86863f4e9d3
SHA1 66719518fc6204fa5b3cd5e881c33b385157a3a3
SHA256 fc4bb495fd17d999924ccf6b66a6cb010d27e4f2a7e5a63e152be7dead3bdf19
SHA512 8d6ddc7770b4b81b96f5be5b15e6b6079a00635298b268d1082a2a8af1385b8bf86783c8fe1b3369ee8002eab1049fb564534e8c76a22a5d74162ac6ca484e59

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ta.dll

MD5 e59d868f96c6613fb7aedf9aee5e1b40
SHA1 64f015ccb8ee522570af421dfd32a8487e8f2f70
SHA256 7ef30b858cbc4aab5512e03659658b80b0401446010b4435e8cbcc7650c2769a
SHA512 f45b7a17e30a36093c639ba9f6c8cad87425b152ea22e2ced1bdcc4711a04f62cf2f92cb618bb786e228479de6eec8fba141e80a221d50e50ec00fb1b388bf59

C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdateHelper.msi

MD5 04ae2a984df761cf7f03e8ebae605422
SHA1 1fd95b89012cd6f74b923e6f99bc44c3d104ee7b
SHA256 f633034b2b466ff541bc4aab77b41c1d7a5490ef0cad81c70be07fe2d96b3a18
SHA512 fc8eed12356e633b70f4ef16c7a0b17611e1375208733d53b90545d701d51746e60d77b3af92e2f62a551640feffcb16efa8f5d64e440d82b3d8c47b46522aaa

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_zh-TW.dll

MD5 15d8ae5796f89352cf180cb52f945288
SHA1 d6428733ab5ed7ae658f7679bc13b2b174e11727
SHA256 317a0c699ee4ece5cb012b04eb3f097a5eebf1d5c8afa36599196d4711b56a8a
SHA512 0a6fe859bf8a1cd3c1a7c6ffccf309011ae89fcf769feec31ce3b1486d78d1ea22d9110085221d7698e41a4ee8f174f5e1d1ce8d2e5fb985f1d9bff145febaa6

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_zh-CN.dll

MD5 1dd286ef09d0c7b64c1ee48b7c3a0830
SHA1 bb83d95229f2a716080d188738ffee3689ea024d
SHA256 706800afaec480a42c5ed3865af6c25ab4bc87bbc8a35cfde6d93d93b1cc3a8a
SHA512 cc8eea141a6317579eed7076adfb7a88eb4bf1da82dea6e89413b8bba385a61b46be6ae20ff7bada5c78ec701d1c34dc2091b2f32f9624fa43d5ce6002eb1d85

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_vi.dll

MD5 429079c567a45934ba0f96f0fa8adcf7
SHA1 e255a17e31b9de9109aae80682d9aa1e08e1225c
SHA256 a5482b5cd705c7c21cf909271a21ca1d14ad5776eed3cde6cc172c1325fdec8b
SHA512 051f8842d8b98bac43143960c09aa6ee6e348243471db7689178e77b56eb7bb4a5c17dd1989a5723f4059c31ba85ac132f9d642cfcaa8dc7fdf22aad89f45e73

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ur.dll

MD5 6cfec1ef3d0858cbe82f6216e4ebbe34
SHA1 ce902ab62bf916d73eacab6f124f0f68a123d83e
SHA256 651eac1234c920085234b905c18561a004093f6541259665aa7b60c98770a5a7
SHA512 8fd34677e6a6d25a39c9b6e6672ce3375b30b6325adc4411e57ecc1844961ef7818041a8af1039ca33044ef353754b9eab812696b75e0250f7e87c44c3333d0a

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_uk.dll

MD5 9e5bed7cfd75f31c673a7667429afd0c
SHA1 c08f3146849c381b0c6fadea5e32517e7fc8d1fc
SHA256 f2606857c9deee910ee531294cf718bbab1c68c3c5936c58a47c5e821f7cc818
SHA512 1b47666e537e4a1adcbc733721615f938f291b522bc7a486e4d4080073a9b325162be535a8ff7074a7ca7a11f7793e8894158cb95e13840250c42931d6283e7e

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_tr.dll

MD5 a07aa91448fc5dab182551080df5739c
SHA1 e413b60ecb5ac8424bad0aec45313081f0de6ed3
SHA256 64aad643d5cec54e9e4dd16fd8bf10bda663058d46ddafc28251e60bb5bee3ac
SHA512 062d44b7893a6f56c4d021e2dc4e1dea6fd64d94b8223ba4c7b19596a819c22ea2d90c289b254447ba0febe168c2c8a6a4431ca8f2ec344afbb74404ce11e559

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_th.dll

MD5 1b0e309b6d856586c7ab1512b416396e
SHA1 fd8b1e01aec80244aa301dc27ef49f47530b3f51
SHA256 19bb3c0e142b1d841cc8fd86062502f91201f4fd2aedc29d0896558bee454d8c
SHA512 fb3197899bc77384646ebfc2f6cec4074a1391bbbc64e6a65f931514d8f1ec6334e5f64426e2004a0398a34e1603957eb183fc4b1c8cafcb979878463022e11a

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_te.dll

MD5 2bd1cf9d36587a808c45de619265b207
SHA1 cdeda1c3e928795a6efbfd27b3e110d3296eab21
SHA256 ff308027487ad0c875b09bb4b3d7d18a93804ddc886b2ef76584e9ab17f9c00c
SHA512 6c35eb41e0254667024ddb2d0625e603deac6fc446f357d7ee55775c044987cb034ce9dfe29147478d21718f4670cf80e8c191d30b770d82e7340d48e2461948

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_sw.dll

MD5 4fc95fd2175940f957f92cf58832b1fb
SHA1 4bde7901766868c553316108f4b17fdbb98b3850
SHA256 9002b369b2ef0d9816606b0147e182275a8e80739258a217544d8ff06d8ac8bb
SHA512 5e2938e1254cc8ebdd17666305f62566c5b02c70db4392526a50976b64092e490b50b72d524f1266b27dda3d671ebcf7f2f8f0bdd4ff2136f584b1b5d4a4a389

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_sv.dll

MD5 46b6950aeff8b442295ef7769f3b914a
SHA1 55a12cfd9bac7a72af96ff20ce38e3927df92237
SHA256 53910b87a82e5b10aa613bfaac7d598c7f860d1f0d623ca9871fee5351c52a3f
SHA512 40996fdf055003bb7b1b6839329dcb8843ffb96027168d618bf0425a7e5c70729bd8b65eecd3b41485833099aeb9941cb692d567d250b7cd244b1924a0382fc7

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_sr.dll

MD5 99f3846a87faf61723e4cf83b2042751
SHA1 65e04c48ffa53ad9880375b56908055176b7216c
SHA256 117c9b2f4a3e3b0cde902597672e49914f8e51bbc446c847f403003a1b59e0a2
SHA512 851654f07562c21211362fb57e6d48cf0257ea1a05a6880691e2b52cc55b6931a82888d67651e39d1a365b5398d61f4bb5939b43b024e7ca34b799e2abdcd18c

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_sl.dll

MD5 7d5e325576066992b32aa1040b1aa636
SHA1 e66fec8b63abc4ad17a73df55eab50244c71e939
SHA256 bfcfde4619a4508b250eb18903ddf7a803b3f1517316cd87901ec65ef0eada00
SHA512 3dc578d1e883e4a7fe62338cc61d71482e127025a5875b02893e127faea84f390f86aeedd1678e9f7811d430b9989228afd33456ea1a1001fdcd8201a49b286b

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_sk.dll

MD5 3b63a7a242dea58df351032f35060609
SHA1 41fd5437c44b9f761ea6743bf1fd3542eddc7a21
SHA256 69ee64d083f634aadef8dc1d71df808a945b8bd1c5abcb239fa727c77f5b2123
SHA512 bb5f6464bdcd122981bd1b1b93780a9c968590618fe6a4b1a5aa8d48519edca380a156bf66f4ca5499fecbd28bf5f5a10b30fbb41980f9c9700a9de9240793d4

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ru.dll

MD5 a89c2184c391c850339da6f25ea72f50
SHA1 a47a35a5260c228d3ce3df3f279240bb1f667100
SHA256 8226f1e1f60eac1afc3df1662d9396bcc326a38ea1c770afc8a8dd9c3e64f77b
SHA512 83b9c017ef74b49e2af6553e3a6029cb4a17ca6dbb4bdeb07da8059d95ac855be2ab25838b17046f9aeead1175172b7fd15b2e15449301220cda2a717285ae19

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ro.dll

MD5 e8414657ab77cd8a8918e80c30ed8dec
SHA1 d00225002c138665e10927f72689e35f23b54ca6
SHA256 d4a698c4f3e66051fb0712d4826f25d21df81e2d4fdd546c617211c1dfe4264b
SHA512 251f216e6d2f9642f936db8c39930df0253b5c6a533fcfab98b45e178d412d38f49dd9ccd654c8e96cef1aee7a581a2787ebda763a571d31c0007472eed7094f

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_pt-PT.dll

MD5 202558121ccbfe689603760da782925a
SHA1 4762305c924b7289c786f888d79ce56087f2bb63
SHA256 05bb2c7b93011ab3ba9449104ca48393d5c28d2d04dbed718508b91185e085be
SHA512 e4dc01644347448b9d8571459e82850d6b4525f069be92002142ff155671b2ea11c789ebd889e05398d1a9154ccba344d5f0c12e183f818160d46ea006866115

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_pt-BR.dll

MD5 066b22c0bd1c12a5bd6828e7847f7900
SHA1 a0a86aad7bc80858a87cbd51dc84512e0f5e3b25
SHA256 c8198ac41c933500cac9b945bfa2398d1dcea7811a3974ee36f70c1542b070e0
SHA512 99f41733e181116a026dd31dc28903c5cd4b82b51cc59d528d342754fe3651f39aafa0756474e1f15c54b5b7e1ac1d8985204f34e07eafb91f94ca2bd6977d69

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_pl.dll

MD5 da1b1f3449ac9de41e9175110c62ade2
SHA1 4a7345603fa10bbfc4ba1c63e88c66441e36fed0
SHA256 99fd3253f2024ba12450a6d29b0b9ca47ef56ea6d640b5d2f09da37dd82d91d5
SHA512 1a96a6355d8db434ee668bf9e85ee8cfb7c676cc548621e0c9ee2180deee8caf44fc9c0a3b253c753346cc215453a7e557927ad448ae06aba76ba22c264d5d81

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_no.dll

MD5 09364c51c16e949e602af1acd880a00f
SHA1 a35435756a45a7cbf1badf7fb05aed51be35650c
SHA256 bf369881d57f224a96549fb54ee0b2cfd764b89cb9e0019ca00d0d19056c03db
SHA512 2b8b0df0a3f18d335e7addfc7d3f92041e5376600b30d808be7c0592c55e22478660afc41477fcc0c4d7dbad1c826c3feaa675204053743a6eca8b46115bbe2e

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_nl.dll

MD5 e0b463b5c0667fe3f160ca378a18a1d2
SHA1 f20889edcce1392b8710dd50bc78671eb0c09cc5
SHA256 de840b2acc718ec4ccbb4a288e8168b12641374c90dacf5f83919c6c4c03a7d8
SHA512 6308546fe6ebb9684e9615d81e674a89758142895b9d59ee26a262cdef193d078107bd68b5efe90382b48fa1358e4f79c0c682830051940b7f81dad1feeb9015

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ms.dll

MD5 68f44901f067d7695b4faec7ccb378d8
SHA1 8629111bdbc9c6892e66fbc519a0817afccd6452
SHA256 a736aac59f85aef8d6d3d6468bbebb7699161f24dd22d10022ada8c2fa0099a1
SHA512 7f1b80835d4893ad14303ea77946aa57c51a0f126e68f3dd6d4d40a656790d50dafb74535b10a1faa6e32709be7bed6eb4e21dd998ee86e15464dcb6ef4769fc

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_mr.dll

MD5 484eac1b49dd74b6d4c89c61518baae9
SHA1 a76015a7a8a783ada2d31a7e65f896e769463cde
SHA256 7eac0b6a5af98cd34a8f615d6defbf5ea2ad631919e5c95523686757e87f2113
SHA512 76c0ecd138402e0a1288c4ce8eb9b94dbc2f208adf1625d48bbf83feb8b0f3716e5b037a733f7e40dce7e6f0c73009b22489128b60a832163f36427bc8f96f9c

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ml.dll

MD5 9617b0959ffa41eecac6ed081210b524
SHA1 3e9231477dd99b23084f9a6bdb14874b4c966eb1
SHA256 af9845f8903766cd2ed8219f250546c481ff942e567e13fb58590ad64cf6e34c
SHA512 29b7a8474bfcd89aae3613c215f6e603d8450484529d561a2ddc2b74b4e778cdcbd1108685430365ac2c2f0fb41f8171174387fa8f8ec970136c5f044e68bf9a

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_lt.dll

MD5 0d6edfe2f40d2d3cc88f0ce66290440e
SHA1 8885cfcd302a44a6a8fbf13a8b767f0efca3a3cf
SHA256 7d6dfc09351fb758e1f74a8c2fa437235ae9d9c25956d91b3c1a74e3c7ff6659
SHA512 995ef23434acc805452c1e501d512e911f1b24ba7ff68b16ba4bece69be8dec6127f051796a01829935a70054b1edc813ef85f284cdf2be9af63e0f813ccb9c3

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ko.dll

MD5 5292300ddbecc2720487cae40114b8de
SHA1 49f2ae760099cac4ab7ca2bc28f791e85d75448e
SHA256 0ecce413a9c3d5eded88eabf59de164e1feaf830b55377d02f1425fb7dda88e3
SHA512 337919647d8a4f34067bea95ac3f393ed2ed0dce1a5ec4c54187ae989d0f2c6f4f74a409ca0c41fbf795ec2fdca4204e6a88cf75281b61a8674cec84351f96b3

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_kn.dll

MD5 b566ee792ffc0ffaac2e072db0f9d3d3
SHA1 35d214bb5e17fd946831d39acb00156f32d7e8d6
SHA256 83df16287dcdd5812a3f9adf41003b768df9ca6001d77331314ccde3c8525c8a
SHA512 7c941011b1ac64c63c28bb15d1132e2b611698b8d701a1e0823a8120a35c713709f2d44e35ff884688b13d9906b1b2c3c324902c97d72caaa164acd23bb51453

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ja.dll

MD5 2ff56ae3ad1f85f383aa42a086194909
SHA1 974b9a041b8675af0b236d3bad1840c4291f296a
SHA256 3f77466a5c975d435320e90e7a25e14c84f0dbd1ad4e4ce03525d6d3d10f44f8
SHA512 bd72469fe8862f88b2d3ce628ce54e44af3d3cc5e043121efce4c2fbe73e984b3b7938d4877c2d4e29378db9d12940ca65425909fe8f3e34024fd867849b3996

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_iw.dll

MD5 2d8fe0fe40749487d3f343469cb4ed4a
SHA1 68151cc669a99f74846c1743e0803ae91409921f
SHA256 5108741ce1fe3ffc1fa866ac73bbb13726c8ad2d9f5d387c69b1a92ca234a7a2
SHA512 b578263113f5edfc26fbf893bb0d832f60235af3be361e20fbe64fe6ffc51cc3120e92fb75b348da1545ec0e449b6c2be004852e2a63024fee6c3dfc1b4dd4eb

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_it.dll

MD5 73f622413790002ebf45254d1e5a1ea1
SHA1 53b55408dc9ed6eb01d310c8658ff57c971e4e45
SHA256 bb83a0d819210f548bbe99435fe9c1a8bc50788df6781cda2f6ca22d8c8cc05d
SHA512 f4ee01e70a1d8788367363e6cc572d4fcb12b85068668fefb41ff37e80c29e317157c4525244c4272c3fb66297d06b06a10a7437cb2d1b5a56bb204de67bb16d

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_is.dll

MD5 75d1f5388885e41c0a12644ae388ff69
SHA1 e318acc41d1b079a3446a0038df34032709d27e7
SHA256 b10707a5113d4849c409d3b59a1064c6399109c101405343c09dca1ee986ca6b
SHA512 bfe661dbc8aeb4020080fb9756a09b2adf0c26ce02bb7c497b61d83714e30ef0f1a3938a93686181b0b8cf66cf229b8652870b3f859fde3fba7301ae82f18d2e

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_id.dll

MD5 881f95414c50494ae62f2f8e0709204c
SHA1 ca987f51e990a2854bd561b4a20a002beb40caa2
SHA256 f44a7849d2fe42b07fbe0deb67e4112527452e31a0e1b09fa5eaad3d637d44a2
SHA512 800c30e31659aa864351c1df40f65faf7f9d55cf562f262b1b7255974cbe95d9228a2e044211d6e5bc82f23936b2a5121ea7e2a13c0a415511bfd343deb75719

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_hu.dll

MD5 ba003c4f7523132aac67a14becfd6ee5
SHA1 dcd59eed9eb2e117494bc78c16b6c3da2f4c6cf5
SHA256 1ad6bc6a61e71733b161a479d0dfd7c8f6b53ed4cef98f9cbee45c8f224a34d1
SHA512 480f014d753cbb71b92e46d5f7c497bcc9b60eab853f13cccb723188af4fadd1bc4d77d3d86fb7a4be6ed7e8219f53c3f0e3b1fdfae1ac504fc986fb76ada468

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_hr.dll

MD5 f10e945b4a0caa27b6c93bbe774a9a4f
SHA1 32e2572d329821a6b49213b99afaa84050de6fe5
SHA256 7461b8df4b23f27cdb8bf999102505be897ff8c18f781f34c1f7f73dbeafcce4
SHA512 919c8fb837fe44f8c6b8828708bca01a9ba77ab466d35350e1f113af056c6b6ad7a882469ba78fd623ede39c0811150cd81cec9f2ebf0b18acb86abbe0346952

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_hi.dll

MD5 673e16edc3eb0756fcb2bad19858fa8c
SHA1 125b38a399d677744fe6f9add31540c9583d6e64
SHA256 aaf237ab2ea80d3bc3628e9b9fec255ad6417b4f5fcf5351f0dc150998d46b94
SHA512 5e58ab604cca741865f65c2d371da14f43f9ed66ada19c38f97ea9db850215568bb81404dad93c7ca3482efa41e04a3e72fae5356071c09df05d1ac6abe84d9d

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_fil.dll

MD5 e97c30923109dc4f1e75ed9be51ff97d
SHA1 ed5326c45325f94bdcc485735a1ce7d17b6976de
SHA256 cad333c1800e6d5a046034e64315de2778287fcd192b3f30d39609173fe5d4f1
SHA512 bbd877d2139f32087d3512ecec3b3d16e44b9d2acfe3c91c41c20406075ae1156409df30f4753bfff4e61241067cde2c2aac92ea52254fe4988bee2dafb9e8a0

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_fi.dll

MD5 236de2af2c410c1a02a7fbd7b2316a1b
SHA1 54ff9d2b24ae48c8f9fcb279b54054734ccc6618
SHA256 006eb61aa3e9ea055b2c7d21374666fffd57bbaa262b65f26523d125d6448d37
SHA512 8e6f5e44cb04e84c413f064f30837db3b24f84a33325a937387408ab7d621a6cc884e6df9b434056df490ae998d45d79061fb79001138adf95273a941916114e

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_fa.dll

MD5 3a6e68fe872b293df90696996e76b38f
SHA1 a69b0192f3e768f2f11507e02c0cdf132e1aaab8
SHA256 41e166029b80e8c538f36bfabb7bac40bed848854dfd13e0bf8e8979a3511740
SHA512 3679c836ae3d9501d7f88fc107e09595c6a403bf8a4b1cd251cb443bddb0e84bf6660edc39fce0ec82c05a62e95299987b854ba91373b7b373127a4615f51550

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_es-419.dll

MD5 f82e1dfb6859590345a3743b8593dc87
SHA1 8050281431d32804231b3f9b03187d21225ae8ba
SHA256 0b43e4a4138761c0b3c9bba465d6bd137987d134d21bb135037cf2456c98fddb
SHA512 b43c018f8250b339b02bff466e7fa9a1cc547b0b48efdbd67100eaca507220f6189cbd9c7c753a97a7b0564fbb9815d91f588421682782f1463b6aba150df0d4

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_en-GB.dll

MD5 eb90f269714ff2571c5bdcadd6505ce5
SHA1 65bf50f255ce7e3c49067b702c5ecdb4e4aa774f
SHA256 5f3c880f47811825aee9bab9cafc292d10d9c801a7b2495a823e62c15b2929e6
SHA512 05a058bd7680cc50f3833b2e19b8c82ace2bad5c4da62cde8dd39937dd8f0a1b56481f03747d8628821922ba1e4fe9172416a60ec34d5ca64c8655452593cd0a

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_de.dll

MD5 08a0d1a5117893ae591b9106effe5247
SHA1 0e4a97ad9b157df75d9d954485acef4c1a3531e4
SHA256 5627427ccdadb0cbec2ac81347881a97d65bf8806ae45fa2d8d08d01e0c065a1
SHA512 164b053d225645dbdf0362a78b1850778363d534d2b19a75a0bbfcd3545ef05b87e6351fe3423103d8cf5199204b079760a66d872aee90b1da093a0029bed048

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_da.dll

MD5 bf8ad2db1e4cbc938dd903c799792375
SHA1 4bb18c34b7cdc52ed7a3e93e83f4d08150f29664
SHA256 7b5e8c0cb9043b3f1eaef9b64b695da2c6c0bb679027ce7867fa3eba01b37b5c
SHA512 2ca860f2cb4f8c841f36a03043671b86efccaa7a68283213c5f4881ea017dbe7a80ef3c4e25a21d66198692353327775e6d2bfb2dc9a72ca89011761e44ae318

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_cs.dll

MD5 4b8f45b7e1a39baccc048e4946926f88
SHA1 7fb7e577e6181ceaecbc3f7d0b8d125ad6ad3a81
SHA256 917e26b3a9fafce6d0ae133a1938f5845c4d8273629cfeefb50d373533f51a2a
SHA512 05eed9d216e475c655ac07dfaa03aaeae2d815934b7ed478835a7038ba87e5e2635d954546e9dd3456d74fa0f5ac8a715ad858b2e2473bf6f3d3185ff105b545

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ca.dll

MD5 18b42252e2a7a5c50e22b351d1f9d3b7
SHA1 20c19214e0476290f3ec3396609992b735ffb118
SHA256 dcea9438bd4a16620c28d25169a2b023cfb0ce7ce2b8d713839e5001038e4552
SHA512 2903e9b85717f941f2ac9d49120069973ae6025de6d8a00d2a6da53950ef1fcc0d5b3f4c7ecf599451cce11062aff36c6f069dea911f42f0800148f899be97d7

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_bn.dll

MD5 af71383de3a520b7ce0585a8bf64368f
SHA1 0761a1e14f19385f8524b71be3882d357f070a86
SHA256 a71c82e6bb69da2231566cf012cba276fa0a3644d7cfc732d188ffb420a209ef
SHA512 832fed14a1e549e388e7094d5ad9f7cc54b2085c66cc2f7a5a063a01631520693179c244d4e02042eee2e22d082706d96868cb66ab7e4bccdba282a6d8be4d01

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_gu.dll

MD5 800144063550fb7a04eb285c3e352121
SHA1 05d9de686bf12de71f963f93b8e4d052bd20fe2b
SHA256 0e68bc976c540c659d31f4bd8c6a056891921d50642283dbe166bde69b75f25b
SHA512 c339fe2a31d985c6472ff14f65dc0b4f1f4994a9cc6b6742415a4f12ca250c3c5508595b52afb1795acd619d05aa4dd724401bfa6bc1e49f3d0700d71527025e

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_fr.dll

MD5 79cebac71c94ad83e4499bc217d72bdc
SHA1 84f3e0985062c053a5f977264783af02927b13d5
SHA256 87452cb3bec2fa99fe92d713908153c62c9019bb11df1b6e257a8fad946076b7
SHA512 0ec22277b7cd746b65cb6509297efced79cb14b6c12494322f8734b82632f0c7786d6b3abf58416bb88d2032fd9ede6ae548f869f5f49d79ad880bfa81225c0a

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_am.dll

MD5 86a76c0d9a83f9bebe41b625451130a6
SHA1 462d8d69e0849e8060cd02e5c23f76a477997136
SHA256 60683f854f8ddb182c09106b2e12973f738b16209faa11e749a64be458e7c03f
SHA512 ab73e8ffcde809ece00991d477659c994ffeb518688cd0c531a328f3893af9b671606aca6239927b95aaf4ae8284007ea1229a0f2381ae32f1022c237c9ff923

C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmUpdateComRegisterShell64.exe

MD5 4c4934b6b9275a2f5ec789a0ae4ec9ed
SHA1 2ddccb4f7e5b1e4c1a90670becbf64b94c5dbee0
SHA256 f3455a492f3f6f8319f8a35f49734c972d6cb3c4fb756e1eb2b6d6e37e36ffac
SHA512 524aef1ec4648013f5a25e3486a493d29d37dbca1f73613fe406c19da68cdbe10bac1735a5cafc388dac22e915c3a627775530575583b54ed42410c63163e430

C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmCrashHandler64.exe

MD5 a59880ae7d713204229829e14d658686
SHA1 fa8a1f5af1c3dd5d864fe47bc083d0ab2d30657e
SHA256 57679084e0bdd91f06e2bc47441f9a7f54b746898341f74a0c4d78f7e1c6c4b1
SHA512 8b11b6ca6e1b0097784fe9c60336da37291ff42f3175a849b56f68cb7d0572a647a96591969668fea9583d345cca2f77cf85e82535d137dc2376eda14ee17794

C:\Program Files (x86)\GUM5B8D.tmp\ZoneAlarmCrashHandler.exe

MD5 68351fedf0579636dbba97dd5e0efe80
SHA1 68473a8b1fffc7b0286891c3b19cbe0b6532e61f
SHA256 4613295b428618717cd9c11d35694aa13c0708483e4c15a620e75592ab30c5ec
SHA512 2b0b13cce89ef247b80ffbb3331881a9de9db60204b304fb96d4d76b1873447c1c541118e0fccdb54944d6b68b45ef74a78df0472978b14ee316a11bc340136d

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_el.dll

MD5 aff8107d364418202f6a21b2b03cf9f6
SHA1 89101bcbdfcccdc6608ad3046b1d17da56c01c0e
SHA256 20749fd36930d8c58396409659670b005aa7cb270a610543ed151fc8501f7071
SHA512 e2392d732982d704c1d2fa894fd3c640e8be46731ff8ed140d0a71be567d1b866411afc5da296ef8087c2186d0d3f5f239bea571b152b72642bbb5215911c1a1

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_bg.dll

MD5 8eac2099a1e21bae948d6e149fbdabaf
SHA1 5516edeac6765bd5f30484611782764874b64b08
SHA256 a1062fcaf046c3ad0a13001045acc71dcde10f4802e6fa3caabb1b0f6d821555
SHA512 17e6d1f7c7c79957e8083304249f6f1810ecb5afda5eacceddfe954f5629ca36f7371f58f997cb9924c973b7e58c9d0b44ec803a81bb33f4d07acbc0547ffd3a

C:\Program Files (x86)\GUM5B8D.tmp\goopdateres_ar.dll

MD5 7415d9f09649006e0c1555313e2c3ba9
SHA1 3283f49898a6b4c5a7b39343b5843ebc4cf89b4f
SHA256 277e719233da022d585d1c1888140f02cc3a015f467ce8643658cb9e93d801af
SHA512 e4ac00955561c8dd7ecbdf6c701aea990baeb0fb7fd13328f355705529cabd7f5c661ecc746ae0c750e282c0e8255a25f587b252d6418110758f8ebf4d1d1536

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:17

Platform

debian12-armhf-20240221-en

Max time network

13s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:17

Platform

debian9-mipsel-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:16

Platform

ubuntu2004-amd64-20240611-en

Max time kernel

0s

Max time network

4s

Command Line

[/tmp/ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe]

Signatures

N/A

Processes

/tmp/ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe

[/tmp/ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:16

Platform

ubuntu2404-amd64-20240523-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:16

Platform

android-33-x64-arm64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
BE 142.250.110.188:5228 tcp
GB 172.217.169.68:443 udp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.68:443 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:16

Platform

debian9-mipsbe-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZoneAlarmUpdate.exe C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZoneAlarmUpdate.exe\DisableExceptionChainValidation = "0" C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GUME966.tmp\psmachine.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\ZoneAlarmCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_fa.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_sk.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmCrashHandler64.exe C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\psuser_64.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_kn.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_sv.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_am.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_cs.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateWebPlugin.exe C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_cs.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_pl.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_da.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ro.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_nl.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_en.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_es.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_gu.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ja.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ta.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File opened for modification C:\Program Files (x86)\GUTE967.tmp C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_pt-BR.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_hi.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_sw.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateBroker.exe C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_fil.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_ms.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_sw.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_no.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\psmachine_64.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_iw.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_es-419.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_uk.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\psuser_64.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_bg.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_el.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_ta.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_lv.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateSetup.exe C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\psmachine.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_fa.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_mr.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_pt-BR.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_th.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_it.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_fi.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_lt.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ms.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\npZoneAlarmUpdate3.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_ru.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_et.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateCore.exe C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ru.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_te.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\goopdateres_ur.dll C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdate.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_de.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_nl.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A
File created C:\Program Files (x86)\GUME966.tmp\goopdateres_ur.dll C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\AppName = "ZoneAlarmUpdateWebPlugin.exe" C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8} C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\AppName = "ZoneAlarmUpdateBroker.exe" C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\AppPath = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0" C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3}\CLSID = "{D5B80838-9D7E-4A94-8115-17A76F676AD3}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\AppPath = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0" C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\Policy = "3" C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A55D03B-5313-409B-A2DB-3677800A7AD8}\Policy = "3" C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D5B80838-9D7E-4A94-8115-17A76F676AD3}\Policy = "3" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F14E3171-3473-43E0-A7A6-0EBB438C005A} C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{499D1391-3A6B-4F0F-844D-1DD9CA45ED03}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A86AF1BE-D06B-4569-B99A-814124EA8B20}\NumMethods\ = "11" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1557BFC-F8CE-4EA3-9130-9F461F91379C}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.OnDemandCOMClassSvc.1.0\ = "Google Update Legacy On Demand" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5B80838-9D7E-4A94-8115-17A76F676AD3}\ = "CheckPoint.OneClickProcessLauncher" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D4E3B9-85B5-4402-B456-516E9B4AC7A9} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFD71C6F-13FF-4E4F-BAAF-097A1E12B523}\Elevation\IconReference = "@C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\goopdate.dll,-1004" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4AB999-B493-446E-B067-BF3E1C1B872F}\NumMethods\ = "4" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D088BAD8-E92C-4500-BDBC-5CF5E239F40E}\NumMethods\ = "17" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86BAA25A-9A0A-4F50-BCC4-1496BBDFBF6D}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E203DBE4-F5C3-40F0-8742-BDAF5E3C1E5A}\Elevation\Enabled = "1" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86BAA25A-9A0A-4F50-BCC4-1496BBDFBF6D}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73E7D42D-2571-466E-9394-55368FA96512}\InprocHandler32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3065C225-61D8-4BD8-8341-BB49BB3A5257}\ = "IProcessLauncher2" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC5AB8D5-6AFA-43B7-BDAE-06FEC4ECBE04}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1557BFC-F8CE-4EA3-9130-9F461F91379C}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73E7D42D-2571-466E-9394-55368FA96512} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D088BAD8-E92C-4500-BDBC-5CF5E239F40E} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A86AF1BE-D06B-4569-B99A-814124EA8B20} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A575A3D-7CEA-422B-9F46-5BBA3BD3FFFF}\NumMethods\ = "10" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86BAA25A-9A0A-4F50-BCC4-1496BBDFBF6D}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F14E3171-3473-43E0-A7A6-0EBB438C005A}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ = "CATID_AppContainerCompatible" C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A90FC543-A20F-4B53-A2E4-4E7923933F8D}\LocalService = "zus" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.Update3COMClassService.1.0\CLSID C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD29A878-82EC-4F08-97D7-8C7C691892F0}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CoreMachineClass\CurVer\ = "CheckPointUpdate.CoreMachineClass.1" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5C6BA10-52D1-4AB1-8A40-FF24B9705E0E} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B930D828-1FD1-4255-8336-1CDA396C671D}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86BAA25A-9A0A-4F50-BCC4-1496BBDFBF6D}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7953CDFA-B704-435C-A81A-BF89B3055697}\LocalServer32 C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92785311-171B-4358-A89D-11AC094F5717}\NumMethods\ = "41" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86BAA25A-9A0A-4F50-BCC4-1496BBDFBF6D}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601B182F-F89A-4B53-B847-7987B45D5290}\ = "IPackage" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A575A3D-7CEA-422B-9F46-5BBA3BD3FFFF}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A93F6E13-DB63-493B-9170-BD91278A1E57}\NumMethods\ = "8" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D6CD051-BC09-46FF-84C9-9CE3E459F6AD} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}\InProcServer32\ = "C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\psmachine_64.dll" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CoreClass\CurVer C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CoreClass\CurVer\ = "CheckPointUpdate.CoreClass.1" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1557BFC-F8CE-4EA3-9130-9F461F91379C}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F6129020-E3CC-4B89-B9B6-0945B68F3A8C}\ = "IApp2" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A90FC543-A20F-4B53-A2E4-4E7923933F8D}\ = "ServiceModule" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39D75D4A-0F18-484D-88B4-25153FE1DD7F}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.CoreClass\ = "Google Update Core Class" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A93F6E13-DB63-493B-9170-BD91278A1E57}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBA995AE-E466-4EF5-B49C-16C2BF29305F}\NumMethods C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39D75D4A-0F18-484D-88B4-25153FE1DD7F} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E203DBE4-F5C3-40F0-8742-BDAF5E3C1E5A} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A90FC543-A20F-4B53-A2E4-4E7923933F8D}\ = "Update3COMClass" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheckPointUpdate.OnDemandCOMClassSvc\CurVer C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D4E3B9-85B5-4402-B456-516E9B4AC7A9}\ = "IAppVersionWeb" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62D4E3B9-85B5-4402-B456-516E9B4AC7A9}\ProxyStubClsid32 C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A24699BB-64FB-4AF5-A6BA-411D45392F7C}\ = "IProcessLauncher" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CD5C033-8E26-4B96-A6FB-393DCCF30294}\NumMethods C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8C715AA-73C2-4603-BB9A-7B67492B2D6A}\NumMethods\ = "41" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39D75D4A-0F18-484D-88B4-25153FE1DD7F}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8C715AA-73C2-4603-BB9A-7B67492B2D6A}\ProxyStubClsid32\ = "{1190AEEE-4FC7-43DB-BBFF-6D5840967C56}" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DF65338-FEC8-4270-A02A-B06B1DE3AC09} C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC307423-DEA5-4E91-A312-A738BE74A13F}\ProgID\ = "CheckPointUpdate.OnDemandCOMClassMachineFallback.1.0" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC307423-DEA5-4E91-A312-A738BE74A13F}\VersionIndependentProgID\ = "CheckPointUpdate.OnDemandCOMClassMachineFallback" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC307423-DEA5-4E91-A312-A738BE74A13F}\LocalServer32\ = "\"C:\\Program Files (x86)\\CheckPoint\\Update\\1.3.99.0\\ZoneAlarmUpdateOnDemand.exe\"" C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CD5C033-8E26-4B96-A6FB-393DCCF30294} C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3065C225-61D8-4BD8-8341-BB49BB3A5257}\NumMethods C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4568 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe
PID 4568 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe
PID 4568 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe
PID 3372 wrote to memory of 4008 N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 3372 wrote to memory of 4008 N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 3372 wrote to memory of 4008 N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 3372 wrote to memory of 1952 N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 3372 wrote to memory of 1952 N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 3372 wrote to memory of 1952 N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1952 wrote to memory of 3112 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1952 wrote to memory of 3112 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1952 wrote to memory of 216 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1952 wrote to memory of 216 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1952 wrote to memory of 1420 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 1952 wrote to memory of 1420 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe
PID 3372 wrote to memory of 4576 N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 3372 wrote to memory of 4576 N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 3372 wrote to memory of 4576 N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 3372 wrote to memory of 4660 N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 3372 wrote to memory of 4660 N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 3372 wrote to memory of 4660 N/A C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1292 wrote to memory of 3184 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1292 wrote to memory of 3184 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe
PID 1292 wrote to memory of 3184 N/A C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe

"C:\Users\Admin\AppData\Local\Temp\ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe"

C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe" /installsource taggedmi /install "bundlename=Product&appguid={814E4157-8A6C-461B-A80F-B75931228CA1}&appname=ZoneAlarmNG&needsadmin=True&lang=en&ap=ZANG_FW_FR&usagestats=1"

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /regsvc

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /regserver

C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe

"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"

C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe

"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"

C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe

"C:\Program Files (x86)\CheckPoint\Update\1.3.99.0\ZoneAlarmUpdateComRegisterShell64.exe"

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuOTkuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjk5LjAiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDREMzI4NDYtOTE5RC00Q0NCLUJDNTYtMjM1ODZFRjU2QTI4fSIgdXNlcmlkPSJ7OTcwRkVCMDEtQjA3MS00RjhFLUFCNjUtMzlGNDBENENFMzc4fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0iezc4QzcyRTc2LTBEMjEtNDVFRi04NzEwLTBFOTJGMUU1RjVGMX0iIGRlZHVwPSJjciI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy45OS4wIiBsYW5nPSJlbiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNzUwIi8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /handoff "bundlename=Product&appguid={814E4157-8A6C-461B-A80F-B75931228CA1}&appname=ZoneAlarmNG&needsadmin=True&lang=en&ap=ZANG_FW_FR&usagestats=1" /installsource taggedmi /sessionid "{04D32846-919D-4CCB-BC56-23586EF56A28}"

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /svc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8

C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe

"C:\Program Files (x86)\CheckPoint\Update\ZoneAlarmUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuOTkuMCIgc2hlbGxfdmVyc2lvbj0iMS4zLjk5LjAiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDREMzI4NDYtOTE5RC00Q0NCLUJDNTYtMjM1ODZFRjU2QTI4fSIgdXNlcmlkPSJ7OTcwRkVCMDEtQjA3MS00RjhFLUFCNjUtMzlGNDBENENFMzc4fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0iezI5M0Y3NTRFLUI3NkUtNDFCMS04RDlCLUQ1NTcyMkE4NEM3NX0iIGRlZHVwPSJjciI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezgxNEU0MTU3LThBNkMtNDYxQi1BODBGLUI3NTkzMTIyOENBMX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IiIgYXA9IlpBTkdfRldfRlIiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI4OTQiIGV4dHJhY29kZTE9IjI2ODQzNTQ1OSIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjExMzQzNyIvPjwvYXBwPjwvcmVxdWVzdD4

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 zupdate.zonealarm.com udp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 8.8.8.8:53 77.209.87.209.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:443 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 209.87.209.77:80 zupdate.zonealarm.com tcp
US 8.8.8.8:53 79.242.123.52.in-addr.arpa udp
US 209.87.209.77:443 zupdate.zonealarm.com tcp

Files

C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdate.exe

MD5 89fd362b23a35657a6336df3cfd64e7b
SHA1 654cb73032f37152a5246765f4b4d402689a0b55
SHA256 07535f001d9ff626d2b7295eacf881eee074b704a0ac6041d8ba4bc3e58d48b9
SHA512 9b9573e5863c4f837436dd5d0501faf6308efeb209294ae60944867b4ac1aa29dbaefbb7539118b963751843f04b9f789da45fce017e515949500f9da0f03fd5

C:\Program Files (x86)\GUME966.tmp\goopdate.dll

MD5 572b21a1706173306e8d8a3ac8007117
SHA1 ba8edaa5dbdeeb93e8fd22db3580b2e4774e8999
SHA256 f93ff69079392ebe57ab5e23076d2661145434487731c07a961d316c17ad7d34
SHA512 fe7201c898184456555c3aedd37703bf5d806418686f0ed8ab1960a914169d23d8b6254eb9960a6cca3cf78c33ee1d329b6ccb7c6035eccb0bdc42c5c7508cb9

C:\Program Files (x86)\GUME966.tmp\goopdateres_en.dll

MD5 972dbfb7a1e859eb98f4e538a7eb351f
SHA1 28869e21c5ec908f69366050f844181f4c9d2637
SHA256 97d8d9549ff2a214fce74ac746ded5b58681aabb70af4a854b324e45ecc16725
SHA512 8ca155487cc68fa465a127e121f085ce911879feca9bfc425d5fa83935178617e3b5889c471af78a3527cbcdcaff774b6ef6a70a2c57a144badd617b976f7b12

C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdateCore.exe

MD5 68274b512b5752d9a914e5ab1de5926f
SHA1 20cced7104ccd49128493e0263f5774248c31478
SHA256 735017aa118ef862fedfff0707d5fcbd2abc918019a0c2cdf191f5403f18e300
SHA512 3810ff02cf6914e93f8f2a8c8ab04e6ad941864e38d2f0a6fea3f6b9c08041a0620e4a768387821db31b6aa1026051fc0c2deacd739752445ceb9cd27e3a4236

C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdateComRegisterShell64.exe

MD5 4c4934b6b9275a2f5ec789a0ae4ec9ed
SHA1 2ddccb4f7e5b1e4c1a90670becbf64b94c5dbee0
SHA256 f3455a492f3f6f8319f8a35f49734c972d6cb3c4fb756e1eb2b6d6e37e36ffac
SHA512 524aef1ec4648013f5a25e3486a493d29d37dbca1f73613fe406c19da68cdbe10bac1735a5cafc388dac22e915c3a627775530575583b54ed42410c63163e430

C:\Program Files (x86)\GUME966.tmp\goopdateres_es.dll

MD5 15a860e025f056cdce88fa27d8c353fe
SHA1 ef17565ac1617b31f15264c689741df998367583
SHA256 1fdd0b09a513c1d47c384887677efb50d2632a561249743305f1e8b1d5c56363
SHA512 52949b64bd225931b591e424f6f29545f73ff6a4a757529e0998fea6ee1b772cac3ca33aeb143be5edc5dd51cb7aac34ffe4c5fc769cbc63a4ccacada56e4ec8

C:\Program Files (x86)\GUME966.tmp\goopdateres_fi.dll

MD5 236de2af2c410c1a02a7fbd7b2316a1b
SHA1 54ff9d2b24ae48c8f9fcb279b54054734ccc6618
SHA256 006eb61aa3e9ea055b2c7d21374666fffd57bbaa262b65f26523d125d6448d37
SHA512 8e6f5e44cb04e84c413f064f30837db3b24f84a33325a937387408ab7d621a6cc884e6df9b434056df490ae998d45d79061fb79001138adf95273a941916114e

C:\Program Files (x86)\GUME966.tmp\goopdateres_th.dll

MD5 1b0e309b6d856586c7ab1512b416396e
SHA1 fd8b1e01aec80244aa301dc27ef49f47530b3f51
SHA256 19bb3c0e142b1d841cc8fd86062502f91201f4fd2aedc29d0896558bee454d8c
SHA512 fb3197899bc77384646ebfc2f6cec4074a1391bbbc64e6a65f931514d8f1ec6334e5f64426e2004a0398a34e1603957eb183fc4b1c8cafcb979878463022e11a

C:\Program Files (x86)\GUME966.tmp\goopdateres_zh-CN.dll

MD5 1dd286ef09d0c7b64c1ee48b7c3a0830
SHA1 bb83d95229f2a716080d188738ffee3689ea024d
SHA256 706800afaec480a42c5ed3865af6c25ab4bc87bbc8a35cfde6d93d93b1cc3a8a
SHA512 cc8eea141a6317579eed7076adfb7a88eb4bf1da82dea6e89413b8bba385a61b46be6ae20ff7bada5c78ec701d1c34dc2091b2f32f9624fa43d5ce6002eb1d85

C:\Program Files (x86)\GUME966.tmp\goopdateres_vi.dll

MD5 429079c567a45934ba0f96f0fa8adcf7
SHA1 e255a17e31b9de9109aae80682d9aa1e08e1225c
SHA256 a5482b5cd705c7c21cf909271a21ca1d14ad5776eed3cde6cc172c1325fdec8b
SHA512 051f8842d8b98bac43143960c09aa6ee6e348243471db7689178e77b56eb7bb4a5c17dd1989a5723f4059c31ba85ac132f9d642cfcaa8dc7fdf22aad89f45e73

C:\Program Files (x86)\GUME966.tmp\goopdateres_ur.dll

MD5 6cfec1ef3d0858cbe82f6216e4ebbe34
SHA1 ce902ab62bf916d73eacab6f124f0f68a123d83e
SHA256 651eac1234c920085234b905c18561a004093f6541259665aa7b60c98770a5a7
SHA512 8fd34677e6a6d25a39c9b6e6672ce3375b30b6325adc4411e57ecc1844961ef7818041a8af1039ca33044ef353754b9eab812696b75e0250f7e87c44c3333d0a

C:\Program Files (x86)\GUME966.tmp\goopdateres_uk.dll

MD5 9e5bed7cfd75f31c673a7667429afd0c
SHA1 c08f3146849c381b0c6fadea5e32517e7fc8d1fc
SHA256 f2606857c9deee910ee531294cf718bbab1c68c3c5936c58a47c5e821f7cc818
SHA512 1b47666e537e4a1adcbc733721615f938f291b522bc7a486e4d4080073a9b325162be535a8ff7074a7ca7a11f7793e8894158cb95e13840250c42931d6283e7e

C:\Program Files (x86)\GUME966.tmp\goopdateres_tr.dll

MD5 a07aa91448fc5dab182551080df5739c
SHA1 e413b60ecb5ac8424bad0aec45313081f0de6ed3
SHA256 64aad643d5cec54e9e4dd16fd8bf10bda663058d46ddafc28251e60bb5bee3ac
SHA512 062d44b7893a6f56c4d021e2dc4e1dea6fd64d94b8223ba4c7b19596a819c22ea2d90c289b254447ba0febe168c2c8a6a4431ca8f2ec344afbb74404ce11e559

C:\Program Files (x86)\GUME966.tmp\goopdateres_te.dll

MD5 2bd1cf9d36587a808c45de619265b207
SHA1 cdeda1c3e928795a6efbfd27b3e110d3296eab21
SHA256 ff308027487ad0c875b09bb4b3d7d18a93804ddc886b2ef76584e9ab17f9c00c
SHA512 6c35eb41e0254667024ddb2d0625e603deac6fc446f357d7ee55775c044987cb034ce9dfe29147478d21718f4670cf80e8c191d30b770d82e7340d48e2461948

C:\Program Files (x86)\GUME966.tmp\goopdateres_ta.dll

MD5 e59d868f96c6613fb7aedf9aee5e1b40
SHA1 64f015ccb8ee522570af421dfd32a8487e8f2f70
SHA256 7ef30b858cbc4aab5512e03659658b80b0401446010b4435e8cbcc7650c2769a
SHA512 f45b7a17e30a36093c639ba9f6c8cad87425b152ea22e2ced1bdcc4711a04f62cf2f92cb618bb786e228479de6eec8fba141e80a221d50e50ec00fb1b388bf59

C:\Program Files (x86)\GUME966.tmp\goopdateres_sw.dll

MD5 4fc95fd2175940f957f92cf58832b1fb
SHA1 4bde7901766868c553316108f4b17fdbb98b3850
SHA256 9002b369b2ef0d9816606b0147e182275a8e80739258a217544d8ff06d8ac8bb
SHA512 5e2938e1254cc8ebdd17666305f62566c5b02c70db4392526a50976b64092e490b50b72d524f1266b27dda3d671ebcf7f2f8f0bdd4ff2136f584b1b5d4a4a389

C:\Program Files (x86)\GUME966.tmp\goopdateres_sv.dll

MD5 46b6950aeff8b442295ef7769f3b914a
SHA1 55a12cfd9bac7a72af96ff20ce38e3927df92237
SHA256 53910b87a82e5b10aa613bfaac7d598c7f860d1f0d623ca9871fee5351c52a3f
SHA512 40996fdf055003bb7b1b6839329dcb8843ffb96027168d618bf0425a7e5c70729bd8b65eecd3b41485833099aeb9941cb692d567d250b7cd244b1924a0382fc7

C:\Program Files (x86)\GUME966.tmp\goopdateres_zh-TW.dll

MD5 15d8ae5796f89352cf180cb52f945288
SHA1 d6428733ab5ed7ae658f7679bc13b2b174e11727
SHA256 317a0c699ee4ece5cb012b04eb3f097a5eebf1d5c8afa36599196d4711b56a8a
SHA512 0a6fe859bf8a1cd3c1a7c6ffccf309011ae89fcf769feec31ce3b1486d78d1ea22d9110085221d7698e41a4ee8f174f5e1d1ce8d2e5fb985f1d9bff145febaa6

C:\Program Files (x86)\GUME966.tmp\ZoneAlarmUpdateHelper.msi

MD5 04ae2a984df761cf7f03e8ebae605422
SHA1 1fd95b89012cd6f74b923e6f99bc44c3d104ee7b
SHA256 f633034b2b466ff541bc4aab77b41c1d7a5490ef0cad81c70be07fe2d96b3a18
SHA512 fc8eed12356e633b70f4ef16c7a0b17611e1375208733d53b90545d701d51746e60d77b3af92e2f62a551640feffcb16efa8f5d64e440d82b3d8c47b46522aaa

C:\Program Files (x86)\GUME966.tmp\goopdateres_sr.dll

MD5 99f3846a87faf61723e4cf83b2042751
SHA1 65e04c48ffa53ad9880375b56908055176b7216c
SHA256 117c9b2f4a3e3b0cde902597672e49914f8e51bbc446c847f403003a1b59e0a2
SHA512 851654f07562c21211362fb57e6d48cf0257ea1a05a6880691e2b52cc55b6931a82888d67651e39d1a365b5398d61f4bb5939b43b024e7ca34b799e2abdcd18c

C:\Program Files (x86)\GUME966.tmp\goopdateres_sl.dll

MD5 7d5e325576066992b32aa1040b1aa636
SHA1 e66fec8b63abc4ad17a73df55eab50244c71e939
SHA256 bfcfde4619a4508b250eb18903ddf7a803b3f1517316cd87901ec65ef0eada00
SHA512 3dc578d1e883e4a7fe62338cc61d71482e127025a5875b02893e127faea84f390f86aeedd1678e9f7811d430b9989228afd33456ea1a1001fdcd8201a49b286b

C:\Program Files (x86)\GUME966.tmp\goopdateres_sk.dll

MD5 3b63a7a242dea58df351032f35060609
SHA1 41fd5437c44b9f761ea6743bf1fd3542eddc7a21
SHA256 69ee64d083f634aadef8dc1d71df808a945b8bd1c5abcb239fa727c77f5b2123
SHA512 bb5f6464bdcd122981bd1b1b93780a9c968590618fe6a4b1a5aa8d48519edca380a156bf66f4ca5499fecbd28bf5f5a10b30fbb41980f9c9700a9de9240793d4

C:\Program Files (x86)\GUME966.tmp\goopdateres_ru.dll

MD5 a89c2184c391c850339da6f25ea72f50
SHA1 a47a35a5260c228d3ce3df3f279240bb1f667100
SHA256 8226f1e1f60eac1afc3df1662d9396bcc326a38ea1c770afc8a8dd9c3e64f77b
SHA512 83b9c017ef74b49e2af6553e3a6029cb4a17ca6dbb4bdeb07da8059d95ac855be2ab25838b17046f9aeead1175172b7fd15b2e15449301220cda2a717285ae19

C:\Program Files (x86)\GUME966.tmp\goopdateres_ro.dll

MD5 e8414657ab77cd8a8918e80c30ed8dec
SHA1 d00225002c138665e10927f72689e35f23b54ca6
SHA256 d4a698c4f3e66051fb0712d4826f25d21df81e2d4fdd546c617211c1dfe4264b
SHA512 251f216e6d2f9642f936db8c39930df0253b5c6a533fcfab98b45e178d412d38f49dd9ccd654c8e96cef1aee7a581a2787ebda763a571d31c0007472eed7094f

C:\Program Files (x86)\GUME966.tmp\goopdateres_pt-PT.dll

MD5 202558121ccbfe689603760da782925a
SHA1 4762305c924b7289c786f888d79ce56087f2bb63
SHA256 05bb2c7b93011ab3ba9449104ca48393d5c28d2d04dbed718508b91185e085be
SHA512 e4dc01644347448b9d8571459e82850d6b4525f069be92002142ff155671b2ea11c789ebd889e05398d1a9154ccba344d5f0c12e183f818160d46ea006866115

C:\Program Files (x86)\GUME966.tmp\goopdateres_pt-BR.dll

MD5 066b22c0bd1c12a5bd6828e7847f7900
SHA1 a0a86aad7bc80858a87cbd51dc84512e0f5e3b25
SHA256 c8198ac41c933500cac9b945bfa2398d1dcea7811a3974ee36f70c1542b070e0
SHA512 99f41733e181116a026dd31dc28903c5cd4b82b51cc59d528d342754fe3651f39aafa0756474e1f15c54b5b7e1ac1d8985204f34e07eafb91f94ca2bd6977d69

C:\Program Files (x86)\GUME966.tmp\goopdateres_pl.dll

MD5 da1b1f3449ac9de41e9175110c62ade2
SHA1 4a7345603fa10bbfc4ba1c63e88c66441e36fed0
SHA256 99fd3253f2024ba12450a6d29b0b9ca47ef56ea6d640b5d2f09da37dd82d91d5
SHA512 1a96a6355d8db434ee668bf9e85ee8cfb7c676cc548621e0c9ee2180deee8caf44fc9c0a3b253c753346cc215453a7e557927ad448ae06aba76ba22c264d5d81

C:\Program Files (x86)\GUME966.tmp\goopdateres_no.dll

MD5 09364c51c16e949e602af1acd880a00f
SHA1 a35435756a45a7cbf1badf7fb05aed51be35650c
SHA256 bf369881d57f224a96549fb54ee0b2cfd764b89cb9e0019ca00d0d19056c03db
SHA512 2b8b0df0a3f18d335e7addfc7d3f92041e5376600b30d808be7c0592c55e22478660afc41477fcc0c4d7dbad1c826c3feaa675204053743a6eca8b46115bbe2e

C:\Program Files (x86)\GUME966.tmp\goopdateres_nl.dll

MD5 e0b463b5c0667fe3f160ca378a18a1d2
SHA1 f20889edcce1392b8710dd50bc78671eb0c09cc5
SHA256 de840b2acc718ec4ccbb4a288e8168b12641374c90dacf5f83919c6c4c03a7d8
SHA512 6308546fe6ebb9684e9615d81e674a89758142895b9d59ee26a262cdef193d078107bd68b5efe90382b48fa1358e4f79c0c682830051940b7f81dad1feeb9015

C:\Program Files (x86)\GUME966.tmp\goopdateres_ms.dll

MD5 68f44901f067d7695b4faec7ccb378d8
SHA1 8629111bdbc9c6892e66fbc519a0817afccd6452
SHA256 a736aac59f85aef8d6d3d6468bbebb7699161f24dd22d10022ada8c2fa0099a1
SHA512 7f1b80835d4893ad14303ea77946aa57c51a0f126e68f3dd6d4d40a656790d50dafb74535b10a1faa6e32709be7bed6eb4e21dd998ee86e15464dcb6ef4769fc

C:\Program Files (x86)\GUME966.tmp\goopdateres_mr.dll

MD5 484eac1b49dd74b6d4c89c61518baae9
SHA1 a76015a7a8a783ada2d31a7e65f896e769463cde
SHA256 7eac0b6a5af98cd34a8f615d6defbf5ea2ad631919e5c95523686757e87f2113
SHA512 76c0ecd138402e0a1288c4ce8eb9b94dbc2f208adf1625d48bbf83feb8b0f3716e5b037a733f7e40dce7e6f0c73009b22489128b60a832163f36427bc8f96f9c

C:\Program Files (x86)\GUME966.tmp\goopdateres_ml.dll

MD5 9617b0959ffa41eecac6ed081210b524
SHA1 3e9231477dd99b23084f9a6bdb14874b4c966eb1
SHA256 af9845f8903766cd2ed8219f250546c481ff942e567e13fb58590ad64cf6e34c
SHA512 29b7a8474bfcd89aae3613c215f6e603d8450484529d561a2ddc2b74b4e778cdcbd1108685430365ac2c2f0fb41f8171174387fa8f8ec970136c5f044e68bf9a

C:\Program Files (x86)\GUME966.tmp\goopdateres_lv.dll

MD5 5f2d6b0aa3fc70637ea0d86863f4e9d3
SHA1 66719518fc6204fa5b3cd5e881c33b385157a3a3
SHA256 fc4bb495fd17d999924ccf6b66a6cb010d27e4f2a7e5a63e152be7dead3bdf19
SHA512 8d6ddc7770b4b81b96f5be5b15e6b6079a00635298b268d1082a2a8af1385b8bf86783c8fe1b3369ee8002eab1049fb564534e8c76a22a5d74162ac6ca484e59

C:\Program Files (x86)\GUME966.tmp\goopdateres_lt.dll

MD5 0d6edfe2f40d2d3cc88f0ce66290440e
SHA1 8885cfcd302a44a6a8fbf13a8b767f0efca3a3cf
SHA256 7d6dfc09351fb758e1f74a8c2fa437235ae9d9c25956d91b3c1a74e3c7ff6659
SHA512 995ef23434acc805452c1e501d512e911f1b24ba7ff68b16ba4bece69be8dec6127f051796a01829935a70054b1edc813ef85f284cdf2be9af63e0f813ccb9c3

C:\Program Files (x86)\GUME966.tmp\goopdateres_ko.dll

MD5 5292300ddbecc2720487cae40114b8de
SHA1 49f2ae760099cac4ab7ca2bc28f791e85d75448e
SHA256 0ecce413a9c3d5eded88eabf59de164e1feaf830b55377d02f1425fb7dda88e3
SHA512 337919647d8a4f34067bea95ac3f393ed2ed0dce1a5ec4c54187ae989d0f2c6f4f74a409ca0c41fbf795ec2fdca4204e6a88cf75281b61a8674cec84351f96b3

C:\Program Files (x86)\GUME966.tmp\goopdateres_kn.dll

MD5 b566ee792ffc0ffaac2e072db0f9d3d3
SHA1 35d214bb5e17fd946831d39acb00156f32d7e8d6
SHA256 83df16287dcdd5812a3f9adf41003b768df9ca6001d77331314ccde3c8525c8a
SHA512 7c941011b1ac64c63c28bb15d1132e2b611698b8d701a1e0823a8120a35c713709f2d44e35ff884688b13d9906b1b2c3c324902c97d72caaa164acd23bb51453

C:\Program Files (x86)\GUME966.tmp\goopdateres_ja.dll

MD5 2ff56ae3ad1f85f383aa42a086194909
SHA1 974b9a041b8675af0b236d3bad1840c4291f296a
SHA256 3f77466a5c975d435320e90e7a25e14c84f0dbd1ad4e4ce03525d6d3d10f44f8
SHA512 bd72469fe8862f88b2d3ce628ce54e44af3d3cc5e043121efce4c2fbe73e984b3b7938d4877c2d4e29378db9d12940ca65425909fe8f3e34024fd867849b3996

C:\Program Files (x86)\GUME966.tmp\goopdateres_iw.dll

MD5 2d8fe0fe40749487d3f343469cb4ed4a
SHA1 68151cc669a99f74846c1743e0803ae91409921f
SHA256 5108741ce1fe3ffc1fa866ac73bbb13726c8ad2d9f5d387c69b1a92ca234a7a2
SHA512 b578263113f5edfc26fbf893bb0d832f60235af3be361e20fbe64fe6ffc51cc3120e92fb75b348da1545ec0e449b6c2be004852e2a63024fee6c3dfc1b4dd4eb

C:\Program Files (x86)\GUME966.tmp\goopdateres_it.dll

MD5 73f622413790002ebf45254d1e5a1ea1
SHA1 53b55408dc9ed6eb01d310c8658ff57c971e4e45
SHA256 bb83a0d819210f548bbe99435fe9c1a8bc50788df6781cda2f6ca22d8c8cc05d
SHA512 f4ee01e70a1d8788367363e6cc572d4fcb12b85068668fefb41ff37e80c29e317157c4525244c4272c3fb66297d06b06a10a7437cb2d1b5a56bb204de67bb16d

C:\Program Files (x86)\GUME966.tmp\goopdateres_is.dll

MD5 75d1f5388885e41c0a12644ae388ff69
SHA1 e318acc41d1b079a3446a0038df34032709d27e7
SHA256 b10707a5113d4849c409d3b59a1064c6399109c101405343c09dca1ee986ca6b
SHA512 bfe661dbc8aeb4020080fb9756a09b2adf0c26ce02bb7c497b61d83714e30ef0f1a3938a93686181b0b8cf66cf229b8652870b3f859fde3fba7301ae82f18d2e

C:\Program Files (x86)\GUME966.tmp\goopdateres_id.dll

MD5 881f95414c50494ae62f2f8e0709204c
SHA1 ca987f51e990a2854bd561b4a20a002beb40caa2
SHA256 f44a7849d2fe42b07fbe0deb67e4112527452e31a0e1b09fa5eaad3d637d44a2
SHA512 800c30e31659aa864351c1df40f65faf7f9d55cf562f262b1b7255974cbe95d9228a2e044211d6e5bc82f23936b2a5121ea7e2a13c0a415511bfd343deb75719

C:\Program Files (x86)\GUME966.tmp\goopdateres_hu.dll

MD5 ba003c4f7523132aac67a14becfd6ee5
SHA1 dcd59eed9eb2e117494bc78c16b6c3da2f4c6cf5
SHA256 1ad6bc6a61e71733b161a479d0dfd7c8f6b53ed4cef98f9cbee45c8f224a34d1
SHA512 480f014d753cbb71b92e46d5f7c497bcc9b60eab853f13cccb723188af4fadd1bc4d77d3d86fb7a4be6ed7e8219f53c3f0e3b1fdfae1ac504fc986fb76ada468

C:\Program Files (x86)\GUME966.tmp\goopdateres_hr.dll

MD5 f10e945b4a0caa27b6c93bbe774a9a4f
SHA1 32e2572d329821a6b49213b99afaa84050de6fe5
SHA256 7461b8df4b23f27cdb8bf999102505be897ff8c18f781f34c1f7f73dbeafcce4
SHA512 919c8fb837fe44f8c6b8828708bca01a9ba77ab466d35350e1f113af056c6b6ad7a882469ba78fd623ede39c0811150cd81cec9f2ebf0b18acb86abbe0346952

C:\Program Files (x86)\GUME966.tmp\goopdateres_hi.dll

MD5 673e16edc3eb0756fcb2bad19858fa8c
SHA1 125b38a399d677744fe6f9add31540c9583d6e64
SHA256 aaf237ab2ea80d3bc3628e9b9fec255ad6417b4f5fcf5351f0dc150998d46b94
SHA512 5e58ab604cca741865f65c2d371da14f43f9ed66ada19c38f97ea9db850215568bb81404dad93c7ca3482efa41e04a3e72fae5356071c09df05d1ac6abe84d9d

C:\Program Files (x86)\GUME966.tmp\goopdateres_gu.dll

MD5 800144063550fb7a04eb285c3e352121
SHA1 05d9de686bf12de71f963f93b8e4d052bd20fe2b
SHA256 0e68bc976c540c659d31f4bd8c6a056891921d50642283dbe166bde69b75f25b
SHA512 c339fe2a31d985c6472ff14f65dc0b4f1f4994a9cc6b6742415a4f12ca250c3c5508595b52afb1795acd619d05aa4dd724401bfa6bc1e49f3d0700d71527025e

C:\Program Files (x86)\GUME966.tmp\goopdateres_fr.dll

MD5 79cebac71c94ad83e4499bc217d72bdc
SHA1 84f3e0985062c053a5f977264783af02927b13d5
SHA256 87452cb3bec2fa99fe92d713908153c62c9019bb11df1b6e257a8fad946076b7
SHA512 0ec22277b7cd746b65cb6509297efced79cb14b6c12494322f8734b82632f0c7786d6b3abf58416bb88d2032fd9ede6ae548f869f5f49d79ad880bfa81225c0a

C:\Program Files (x86)\GUME966.tmp\goopdateres_fil.dll

MD5 e97c30923109dc4f1e75ed9be51ff97d
SHA1 ed5326c45325f94bdcc485735a1ce7d17b6976de
SHA256 cad333c1800e6d5a046034e64315de2778287fcd192b3f30d39609173fe5d4f1
SHA512 bbd877d2139f32087d3512ecec3b3d16e44b9d2acfe3c91c41c20406075ae1156409df30f4753bfff4e61241067cde2c2aac92ea52254fe4988bee2dafb9e8a0

C:\Program Files (x86)\GUME966.tmp\goopdateres_fa.dll

MD5 3a6e68fe872b293df90696996e76b38f
SHA1 a69b0192f3e768f2f11507e02c0cdf132e1aaab8
SHA256 41e166029b80e8c538f36bfabb7bac40bed848854dfd13e0bf8e8979a3511740
SHA512 3679c836ae3d9501d7f88fc107e09595c6a403bf8a4b1cd251cb443bddb0e84bf6660edc39fce0ec82c05a62e95299987b854ba91373b7b373127a4615f51550

C:\Program Files (x86)\GUME966.tmp\goopdateres_et.dll

MD5 5b0b1b683839e8c406d1ef3665ae0536
SHA1 f8614acc851e1502fa7a066db7246c0f44267788
SHA256 4f74fb55665673bf7d3da440f1f30ce1f78c97988cee030a8bb79b137a3b7cf6
SHA512 857cc9301dd00d6321a03cd910673329ccfc267641c280a37798c5a2cf0a930a9f5dca4555989243f46186753d541f60f9ecd533da144320877548ed355d8479

C:\Program Files (x86)\GUME966.tmp\goopdateres_es-419.dll

MD5 f82e1dfb6859590345a3743b8593dc87
SHA1 8050281431d32804231b3f9b03187d21225ae8ba
SHA256 0b43e4a4138761c0b3c9bba465d6bd137987d134d21bb135037cf2456c98fddb
SHA512 b43c018f8250b339b02bff466e7fa9a1cc547b0b48efdbd67100eaca507220f6189cbd9c7c753a97a7b0564fbb9815d91f588421682782f1463b6aba150df0d4

C:\Program Files (x86)\GUME966.tmp\goopdateres_en-GB.dll

MD5 eb90f269714ff2571c5bdcadd6505ce5
SHA1 65bf50f255ce7e3c49067b702c5ecdb4e4aa774f
SHA256 5f3c880f47811825aee9bab9cafc292d10d9c801a7b2495a823e62c15b2929e6
SHA512 05a058bd7680cc50f3833b2e19b8c82ace2bad5c4da62cde8dd39937dd8f0a1b56481f03747d8628821922ba1e4fe9172416a60ec34d5ca64c8655452593cd0a

C:\Program Files (x86)\GUME966.tmp\goopdateres_el.dll

MD5 aff8107d364418202f6a21b2b03cf9f6
SHA1 89101bcbdfcccdc6608ad3046b1d17da56c01c0e
SHA256 20749fd36930d8c58396409659670b005aa7cb270a610543ed151fc8501f7071
SHA512 e2392d732982d704c1d2fa894fd3c640e8be46731ff8ed140d0a71be567d1b866411afc5da296ef8087c2186d0d3f5f239bea571b152b72642bbb5215911c1a1

C:\Program Files (x86)\GUME966.tmp\goopdateres_de.dll

MD5 08a0d1a5117893ae591b9106effe5247
SHA1 0e4a97ad9b157df75d9d954485acef4c1a3531e4
SHA256 5627427ccdadb0cbec2ac81347881a97d65bf8806ae45fa2d8d08d01e0c065a1
SHA512 164b053d225645dbdf0362a78b1850778363d534d2b19a75a0bbfcd3545ef05b87e6351fe3423103d8cf5199204b079760a66d872aee90b1da093a0029bed048

C:\Program Files (x86)\GUME966.tmp\goopdateres_da.dll

MD5 bf8ad2db1e4cbc938dd903c799792375
SHA1 4bb18c34b7cdc52ed7a3e93e83f4d08150f29664
SHA256 7b5e8c0cb9043b3f1eaef9b64b695da2c6c0bb679027ce7867fa3eba01b37b5c
SHA512 2ca860f2cb4f8c841f36a03043671b86efccaa7a68283213c5f4881ea017dbe7a80ef3c4e25a21d66198692353327775e6d2bfb2dc9a72ca89011761e44ae318

C:\Program Files (x86)\GUME966.tmp\goopdateres_cs.dll

MD5 4b8f45b7e1a39baccc048e4946926f88
SHA1 7fb7e577e6181ceaecbc3f7d0b8d125ad6ad3a81
SHA256 917e26b3a9fafce6d0ae133a1938f5845c4d8273629cfeefb50d373533f51a2a
SHA512 05eed9d216e475c655ac07dfaa03aaeae2d815934b7ed478835a7038ba87e5e2635d954546e9dd3456d74fa0f5ac8a715ad858b2e2473bf6f3d3185ff105b545

C:\Program Files (x86)\GUME966.tmp\goopdateres_ca.dll

MD5 18b42252e2a7a5c50e22b351d1f9d3b7
SHA1 20c19214e0476290f3ec3396609992b735ffb118
SHA256 dcea9438bd4a16620c28d25169a2b023cfb0ce7ce2b8d713839e5001038e4552
SHA512 2903e9b85717f941f2ac9d49120069973ae6025de6d8a00d2a6da53950ef1fcc0d5b3f4c7ecf599451cce11062aff36c6f069dea911f42f0800148f899be97d7

C:\Program Files (x86)\GUME966.tmp\goopdateres_bn.dll

MD5 af71383de3a520b7ce0585a8bf64368f
SHA1 0761a1e14f19385f8524b71be3882d357f070a86
SHA256 a71c82e6bb69da2231566cf012cba276fa0a3644d7cfc732d188ffb420a209ef
SHA512 832fed14a1e549e388e7094d5ad9f7cc54b2085c66cc2f7a5a063a01631520693179c244d4e02042eee2e22d082706d96868cb66ab7e4bccdba282a6d8be4d01

C:\Program Files (x86)\GUME966.tmp\goopdateres_bg.dll

MD5 8eac2099a1e21bae948d6e149fbdabaf
SHA1 5516edeac6765bd5f30484611782764874b64b08
SHA256 a1062fcaf046c3ad0a13001045acc71dcde10f4802e6fa3caabb1b0f6d821555
SHA512 17e6d1f7c7c79957e8083304249f6f1810ecb5afda5eacceddfe954f5629ca36f7371f58f997cb9924c973b7e58c9d0b44ec803a81bb33f4d07acbc0547ffd3a

C:\Program Files (x86)\GUME966.tmp\goopdateres_ar.dll

MD5 7415d9f09649006e0c1555313e2c3ba9
SHA1 3283f49898a6b4c5a7b39343b5843ebc4cf89b4f
SHA256 277e719233da022d585d1c1888140f02cc3a015f467ce8643658cb9e93d801af
SHA512 e4ac00955561c8dd7ecbdf6c701aea990baeb0fb7fd13328f355705529cabd7f5c661ecc746ae0c750e282c0e8255a25f587b252d6418110758f8ebf4d1d1536

C:\Program Files (x86)\GUME966.tmp\ZoneAlarmCrashHandler.exe

MD5 68351fedf0579636dbba97dd5e0efe80
SHA1 68473a8b1fffc7b0286891c3b19cbe0b6532e61f
SHA256 4613295b428618717cd9c11d35694aa13c0708483e4c15a620e75592ab30c5ec
SHA512 2b0b13cce89ef247b80ffbb3331881a9de9db60204b304fb96d4d76b1873447c1c541118e0fccdb54944d6b68b45ef74a78df0472978b14ee316a11bc340136d

C:\Program Files (x86)\GUME966.tmp\goopdateres_am.dll

MD5 86a76c0d9a83f9bebe41b625451130a6
SHA1 462d8d69e0849e8060cd02e5c23f76a477997136
SHA256 60683f854f8ddb182c09106b2e12973f738b16209faa11e749a64be458e7c03f
SHA512 ab73e8ffcde809ece00991d477659c994ffeb518688cd0c531a328f3893af9b671606aca6239927b95aaf4ae8284007ea1229a0f2381ae32f1022c237c9ff923

C:\Program Files (x86)\GUME966.tmp\ZoneAlarmCrashHandler64.exe

MD5 a59880ae7d713204229829e14d658686
SHA1 fa8a1f5af1c3dd5d864fe47bc083d0ab2d30657e
SHA256 57679084e0bdd91f06e2bc47441f9a7f54b746898341f74a0c4d78f7e1c6c4b1
SHA512 8b11b6ca6e1b0097784fe9c60336da37291ff42f3175a849b56f68cb7d0572a647a96591969668fea9583d345cca2f77cf85e82535d137dc2376eda14ee17794

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:16

Platform

android-x64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:16

Platform

android-x86-arm-20240611.1-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:19

Platform

macos-20240611-en

Max time kernel

131s

Max time network

134s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe]

/bin/zsh

[/bin/zsh -c /Users/run/ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe]

/Users/run/ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe

[/Users/run/ZoneAlarmNGSetup_ZANG_FW_FR_AR8ZNP.exe]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
GB 51.132.193.104:443 tcp
GB 17.250.81.67:443 tcp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
GB 104.77.118.121:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
GB 23.200.147.24:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.17:443 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
US 23.220.113.166:443 help.apple.com tcp
US 23.220.113.166:443 help.apple.com tcp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xml

MD5 9a43af57707d2fb460832049d1f217d1
SHA1 056d813f8cb5198ca82072f7e3484f38ea5267f8
SHA256 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c
SHA512 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 15db87fac5a7041a4839e0b11728b4de
SHA1 28f28bcbc84ed68794d45ce5800d667a4c716fec
SHA256 0c96df606f8448bfb0c2b391da44fc8f9b62d0d9730a11e07cf3159ad3ec51d7
SHA512 47c01a43289c40b007d5fd05fe40891946c73818a8b85b0518e6cfd7f9e6cefd7bdb693d08fc0010d5ce4a718d357fcaaf6054c28b3907cc75af68fa79db2785

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 95d1f6a479ea836bed553646ebef85c1
SHA1 19da469018294e373c788d888e5c55e0bb18695e
SHA256 fc78047a7293b7fba3abe949497f397804f86e2ff04c29c4a549df60aa877aa2
SHA512 3f9b8aa7efc6cbbcf6672e0d08a630178c653894d800e9125ed18774de105bc564b097120e98b5711cec5d05d95b41fe822019bc10038055eabf341b0c12845d

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 b5ed1a4aa9f5eb7122af5b836de7cefc
SHA1 50f9e5dbb61125650245824f2bc6b466ede59bf6
SHA256 c81bb42621fd0e666a3863f06db96ab6f5f2631cf135d41e2916c25d973c1056
SHA512 3986a6f6457f3f794a04034f6d905cdb7ab37e67fd3d266a1aa7bf5deaeb544097d0c8668642288f2a6dfb33f343147241d2130abbff33f20140c6608f4a1211

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:16

Platform

debian9-armhf-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-17 19:16

Reported

2024-06-17 19:16

Platform

ubuntu2204-amd64-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A