131066d63d393f0081a5e5ae68c09c75b4de42368caed2ecd5e5a8c0c17d4a66

Resubmissions

20/07/2024, 14:34

240720-rxfh9azgqb 7

20/07/2024, 14:30

240720-rvc1ca1brk 7

Analysis

max time kernel
72s
max time network
73s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZonaSetup64[6UCQR].exe
Size

182.7MB
MD5

140fa16f46383a496232215d1a95bf86
SHA1

f4ed05b78fa59eeea7eb52d83190ec7403b0859d
SHA256

131066d63d393f0081a5e5ae68c09c75b4de42368caed2ecd5e5a8c0c17d4a66
SHA512

85f31e57b8f5201a6c82afb0734852f79f198c2747293788f1cd7c2f9c9a030a264c819c1c437cbbcac079fcae3fce59513caf112060f02e515cb35d53537729
SSDEEP

3145728:cqkUZfZDemxdcU8+m/PeW0+o6fAsrUvj073vNyLlqbLK82oUprahTGWhhuiS5RSl:0WpEn+8MsfAsrUL07vwlOK8nUpmhTThH

Score

7^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe

Executes dropped EXE 27 IoCs

pid	Process
2020	java.exe
2496	javaw.exe
2808	Zona.exe
1728	java.exe
1776	javaw.exe
1760	javaw.exe
2544	Zona.exe
1544	java.exe
1540	javaw.exe
580	javaw.exe
1948	ZonaUpdater.exe
1632	java.exe
1744	javaw.exe
2568	msedgewebview2.exe
2516	msedgewebview2.exe
2852	javaw.exe
1500	msedgewebview2.exe
1108	msedgewebview2.exe
2408	msedgewebview2.exe
2928	msedgewebview2.exe
932	msedgewebview2.exe
1980	msedgewebview2.exe
2148	msedgewebview2.exe
2640	msedgewebview2.exe
1992	msedgewebview2.exe
3996	msedgewebview2.exe
3128	msedgewebview2.exe

Loads dropped DLL 64 IoCs

pid	Process
2760	ZONASE~1.EXE
2760	ZONASE~1.EXE
2760	ZONASE~1.EXE
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2020	java.exe
2760	ZONASE~1.EXE
2760	ZONASE~1.EXE
2760	ZONASE~1.EXE
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2496	javaw.exe
2760	ZONASE~1.EXE
2760	ZONASE~1.EXE
2760	ZONASE~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zona = "C:\\PROGRA~1\\Zona\\Zona.exe /MINIMIZED"	ZONASE~1.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Zona.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgewebview2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\PROGRA~1\Zona\jre\legal\java.prefs\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.transaction.xa\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.dynalink\LICENSE	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.naming.rmi\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.scripting.nashorn\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\bin\freetype.dll	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.sql.rowset\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.net\LICENSE	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.xml.dom\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\lib\security\public_suffix_list.dat	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\bin\api-ms-win-core-file-l2-1-0.dll	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\bin\javaw.exe	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\bin\keytool.exe	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.desktop\lcms.md	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.naming\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.naming\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\lib\modules	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\License_uk.rtf	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\bin\api-ms-win-core-debug-l1-1-0.dll	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.base\cldr.md	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.aot\LICENSE	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.sctp\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.sql.rowset\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.httpserver\LICENSE	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.security.jgss\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\bin\jawt.dll	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\bin\management_agent.dll	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\conf\security\java.policy	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\conf\sound.properties	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.management\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.rmi\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.xml\LICENSE	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.crypto.cryptoki\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\bin\java.exe	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\bin\prefs.dll	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.instrument\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\bin\rmid.exe	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.logging\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.prefs\LICENSE	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.crypto.ec\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.internal.vm.ci\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.naming.rmi\LICENSE	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.security.auth\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\License_en.rtf	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.smartcardio\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.aot\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.dynalink\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.jdwp.agent\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.management.agent\LICENSE	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.compiler\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.security.jgss\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.management.jfr\ASSEMBLY_EXCEPTION	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.security.auth\LICENSE	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.zipfs\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.naming.ldap\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\conf\logging.properties	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\conf\management\management.properties	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.net.http\LICENSE	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\java.xml\ADDITIONAL_LICENSE_INFO	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.crypto.mscapi\LICENSE	ZONASE~1.EXE
File created	C:\PROGRA~1\Zona\jre\legal\jdk.management\ASSEMBLY_EXCEPTION	ZONASE~1.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ZonaUpdater.log	ZonaUpdater.exe
File created	C:\Windows\hsperfdata_Admin\1632	java.exe
File created	C:\Windows\hsperfdata_Admin\1744	javaw.exe
File created	C:\Windows\hsperfdata_Admin\2852	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Zona.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Zona.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Zona.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	java.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	java.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	java.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	java.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Magnet	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Magnet\URL Protocol	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\DHT\shell\open\command\ = "\"C:\\PROGRA~1\\Zona\\Zona.exe\" \"%1\""	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DHT\shell	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Zona\URL Protocol	ZONASE~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\Content Type = "application/x-bittorrent"	ZONASE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.magnet	Zona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\ = "Magnet URI"	Zona.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\DHT	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-dht	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\DHT\DefaultIcon\ = "C:\\PROGRA~1\\Zona\\torrent.ico"	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Zona	ZONASE~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Zona\shell\open\command\ = "\"C:\\PROGRA~1\\Zona\\Zona.exe\" \"%1\""	ZONASE~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-magnet\Extension = ".magnet"	Zona.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\MIME\Database\Content Type\application/x-magnet	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.dht\Content Type = "application/x-dht"	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DHT\shell\open\command	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DHT\shell\open	Zona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zona\ = "Zona"	ZONASE~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.magnet\ = "Magnet"	Zona.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\MIME	Zona.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\MIME\Database\Content Type	Zona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\shell\open\command\ = "\"C:\\PROGRA~1\\Zona\\Zona.exe\" \"%1\""	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Zona\shell	ZONASE~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Zona\ = "Zona Download"	ZONASE~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Magnet\Content Type = "application/x-magnet"	Zona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DHT\DefaultIcon\ = "C:\\PROGRA~1\\Zona\\torrent.ico"	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\DHT\Content Type = "application/x-dht"	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Zona.exe	ZONASE~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Zona.exe\shell\open\command\ = "\"C:\\PROGRA~1\\Zona\\Zona.exe\" \"%1\""	ZONASE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-magnet	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\MIME\Database\Content Type\application/x-magnet\Extension = ".magnet"	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Zona.exe\shell\open	ZONASE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Magnet\ = "Magnet URI"	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\shell	Zona.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\DHT\shell\open	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\MIME\Database\Content Type\application/x-dht\Extension = ".dht"	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Zona.exe\shell\open\command	ZONASE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\MIME\Database	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\shell\open\command	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.dht\ = "DHT"	Zona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-dht\Extension = ".dht"	Zona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DHT\ = "DHT URI"	Zona.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\DHT\DefaultIcon	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Zona\Content Type = "application/x-bittorrent"	ZONASE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.magnet	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\DefaultIcon	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Magnet\shell\open\command\ = "\"C:\\PROGRA~1\\Zona\\Zona.exe\" \"%1\""	Zona.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.dht	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.magnet\Content Type = "application/x-magnet"	Zona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\DefaultIcon\ = "C:\\PROGRA~1\\Zona\\torrent.ico"	Zona.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Magnet\shell\open\command	Zona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dht\ = "DHT"	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DHT\DefaultIcon	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	ZONASE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DHT	Zona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DHT\shell\ = "open"	Zona.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\DHT\shell	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\DHT\shell\ = "open"	Zona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Zona\shell\open	ZONASE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Zona.exe\shell	ZONASE~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.magnet\ = "Magnet"	Zona.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Magnet\DefaultIcon\ = "C:\\PROGRA~1\\Zona\\torrent.ico"	Zona.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2760	ZONASE~1.EXE
2760	ZONASE~1.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2544	Zona.exe
2544	Zona.exe
2544	Zona.exe
2568	msedgewebview2.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2544	Zona.exe
2544	Zona.exe
2544	Zona.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2544	Zona.exe
2544	Zona.exe
2544	Zona.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2760	2332	ZonaSetup64[6UCQR].exe	30
PID 2332 wrote to memory of 2760	2332	ZonaSetup64[6UCQR].exe	30
PID 2332 wrote to memory of 2760	2332	ZonaSetup64[6UCQR].exe	30
PID 2760 wrote to memory of 2020	2760	ZONASE~1.EXE	33
PID 2760 wrote to memory of 2020	2760	ZONASE~1.EXE	33
PID 2760 wrote to memory of 2020	2760	ZONASE~1.EXE	33
PID 2760 wrote to memory of 2496	2760	ZONASE~1.EXE	35
PID 2760 wrote to memory of 2496	2760	ZONASE~1.EXE	35
PID 2760 wrote to memory of 2496	2760	ZONASE~1.EXE	35
PID 2760 wrote to memory of 2808	2760	ZONASE~1.EXE	37
PID 2760 wrote to memory of 2808	2760	ZONASE~1.EXE	37
PID 2760 wrote to memory of 2808	2760	ZONASE~1.EXE	37
PID 2808 wrote to memory of 1728	2808	Zona.exe	38
PID 2808 wrote to memory of 1728	2808	Zona.exe	38
PID 2808 wrote to memory of 1728	2808	Zona.exe	38
PID 2808 wrote to memory of 1776	2808	Zona.exe	41
PID 2808 wrote to memory of 1776	2808	Zona.exe	41
PID 2808 wrote to memory of 1776	2808	Zona.exe	41
PID 2808 wrote to memory of 1760	2808	Zona.exe	42
PID 2808 wrote to memory of 1760	2808	Zona.exe	42
PID 2808 wrote to memory of 1760	2808	Zona.exe	42
PID 2760 wrote to memory of 2544	2760	ZONASE~1.EXE	43
PID 2760 wrote to memory of 2544	2760	ZONASE~1.EXE	43
PID 2760 wrote to memory of 2544	2760	ZONASE~1.EXE	43
PID 2544 wrote to memory of 1544	2544	Zona.exe	44
PID 2544 wrote to memory of 1544	2544	Zona.exe	44
PID 2544 wrote to memory of 1544	2544	Zona.exe	44
PID 2544 wrote to memory of 1540	2544	Zona.exe	46
PID 2544 wrote to memory of 1540	2544	Zona.exe	46
PID 2544 wrote to memory of 1540	2544	Zona.exe	46
PID 2544 wrote to memory of 580	2544	Zona.exe	47
PID 2544 wrote to memory of 580	2544	Zona.exe	47
PID 2544 wrote to memory of 580	2544	Zona.exe	47
PID 2544 wrote to memory of 1948	2544	Zona.exe	49
PID 2544 wrote to memory of 1948	2544	Zona.exe	49
PID 2544 wrote to memory of 1948	2544	Zona.exe	49
PID 1948 wrote to memory of 1632	1948	ZonaUpdater.exe	50
PID 1948 wrote to memory of 1632	1948	ZonaUpdater.exe	50
PID 1948 wrote to memory of 1632	1948	ZonaUpdater.exe	50
PID 1948 wrote to memory of 1744	1948	ZonaUpdater.exe	52
PID 1948 wrote to memory of 1744	1948	ZonaUpdater.exe	52
PID 1948 wrote to memory of 1744	1948	ZonaUpdater.exe	52
PID 2544 wrote to memory of 2568	2544	Zona.exe	53
PID 2544 wrote to memory of 2568	2544	Zona.exe	53
PID 2544 wrote to memory of 2568	2544	Zona.exe	53
PID 2568 wrote to memory of 2516	2568	msedgewebview2.exe	54
PID 2568 wrote to memory of 2516	2568	msedgewebview2.exe	54
PID 2568 wrote to memory of 2516	2568	msedgewebview2.exe	54
PID 1948 wrote to memory of 2852	1948	ZonaUpdater.exe	55
PID 1948 wrote to memory of 2852	1948	ZonaUpdater.exe	55
PID 1948 wrote to memory of 2852	1948	ZonaUpdater.exe	55
PID 2568 wrote to memory of 1500	2568	msedgewebview2.exe	56
PID 2568 wrote to memory of 1500	2568	msedgewebview2.exe	56
PID 2568 wrote to memory of 1500	2568	msedgewebview2.exe	56
PID 2568 wrote to memory of 1500	2568	msedgewebview2.exe	56
PID 2568 wrote to memory of 1500	2568	msedgewebview2.exe	56
PID 2568 wrote to memory of 1500	2568	msedgewebview2.exe	56
PID 2568 wrote to memory of 1500	2568	msedgewebview2.exe	56
PID 2568 wrote to memory of 1500	2568	msedgewebview2.exe	56
PID 2568 wrote to memory of 1500	2568	msedgewebview2.exe	56
PID 2568 wrote to memory of 1500	2568	msedgewebview2.exe	56
PID 2568 wrote to memory of 1500	2568	msedgewebview2.exe	56
PID 2568 wrote to memory of 1500	2568	msedgewebview2.exe	56
PID 2568 wrote to memory of 1500	2568	msedgewebview2.exe	56

C:\Users\Admin\AppData\Local\Temp\ZonaSetup64[6UCQR].exe
"C:\Users\Admin\AppData\Local\Temp\ZonaSetup64[6UCQR].exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\ZONASE~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\ZONASE~1.EXE" /secondInstance /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\PROGRA~1\Zona\jre\bin\java.exe
    "C:\PROGRA~1\Zona\jre\bin\java.exe" -version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:2020
- - C:\PROGRA~1\Zona\jre\bin\javaw.exe
    "C:\PROGRA~1\Zona\jre\bin\javaw.exe" -classpath "C:\PROGRA~1\Zona\utils.jar" ru.megamakc.core.JavaArch
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:2496
- - C:\PROGRA~1\Zona\Zona.exe
    C:\PROGRA~1\Zona\Zona.exe /copydll
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\PROGRA~1\Zona\jre\bin\java.exe
      "C:\PROGRA~1\Zona\jre\bin\java.exe" -version
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1728
  - - C:\PROGRA~1\Zona\jre\bin\javaw.exe
      "C:\PROGRA~1\Zona\jre\bin\javaw.exe" -classpath "C:\PROGRA~1\Zona\utils.jar" ru.megamakc.core.JavaArch
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1776
  - - C:\PROGRA~1\Zona\jre\bin\javaw.exe
      "C:\PROGRA~1\Zona\jre\bin\javaw.exe" -classpath "C:\PROGRA~1\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1760
- - C:\PROGRA~1\Zona\Zona.exe
    "C:\PROGRA~1\Zona\Zona.exe" --readInitFile
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\PROGRA~1\Zona\jre\bin\java.exe
      "C:\PROGRA~1\Zona\jre\bin\java.exe" -version
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1544
  - - C:\PROGRA~1\Zona\jre\bin\javaw.exe
      "C:\PROGRA~1\Zona\jre\bin\javaw.exe" -classpath "C:\PROGRA~1\Zona\utils.jar" ru.megamakc.core.JavaArch
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1540
  - - C:\PROGRA~1\Zona\jre\bin\javaw.exe
      "C:\PROGRA~1\Zona\jre\bin\javaw.exe" -classpath "C:\PROGRA~1\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:580
  - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZonaUpdater.exe
      C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZonaUpdater.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\PROGRA~1\Zona\jre\bin\java.exe
        
        "C:\PROGRA~1\Zona\jre\bin\java.exe" -version
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Checks processor information in registry
        
        PID:1632
    - - C:\PROGRA~1\Zona\jre\bin\javaw.exe
        
        "C:\PROGRA~1\Zona\jre\bin\javaw.exe" -classpath "C:\PROGRA~1\Zona\utils.jar" ru.megamakc.core.JavaArch
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Checks processor information in registry
        
        PID:1744
    - - C:\PROGRA~1\Zona\jre\bin\javaw.exe
        
        "C:\PROGRA~1\Zona\jre\bin\javaw.exe" -classpath "C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\zupdater.ext.jar" ru.zona.plugins.zupdater.ext.Main update
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Checks processor information in registry
        
        PID:2852
  - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe
      "C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Zona.exe --webview-exe-version=3.0.0.2 --user-data-dir="C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --force-device-scale-factor=1 --mojo-named-platform-channel-pipe=2544.2556.2448290905367717949
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Checks system information in the registry
      Enumerates system info in registry
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe
        
        C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=106.0.5249.91 --annotation=exe=C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=106.0.1370.34 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xec,0x7fef35c6e08,0x7fef35c6e18,0x7fef35c6e28
        5⤵
        Executes dropped EXE
        
        PID:2516
    - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView" --webview-exe-name=Zona.exe --webview-exe-version=3.0.0.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1236,i,4574367226334843310,544793873166452381,131072 /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:1500
    - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView" --webview-exe-name=Zona.exe --webview-exe-version=3.0.0.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=1432 --field-trial-handle=1236,i,4574367226334843310,544793873166452381,131072 /prefetch:3
        5⤵
        Executes dropped EXE
        
        PID:1108
    - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView" --webview-exe-name=Zona.exe --webview-exe-version=3.0.0.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=1520 --field-trial-handle=1236,i,4574367226334843310,544793873166452381,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:2408
    - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView" --webview-exe-name=Zona.exe --webview-exe-version=3.0.0.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --display-capture-permissions-policy-allowed --js-flags=--ms-user-locale= --event-path-policy=0 --first-renderer-process --force-device-scale-factor=1 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2136 --field-trial-handle=1236,i,4574367226334843310,544793873166452381,131072 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2928
    - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView" --webview-exe-name=Zona.exe --webview-exe-version=3.0.0.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1308 --field-trial-handle=1236,i,4574367226334843310,544793873166452381,131072 /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:932
    - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView" --webview-exe-name=Zona.exe --webview-exe-version=3.0.0.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --display-capture-permissions-policy-allowed --js-flags=--ms-user-locale= --event-path-policy=0 --force-device-scale-factor=1 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3092 --field-trial-handle=1236,i,4574367226334843310,544793873166452381,131072 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1980
    - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView" --webview-exe-name=Zona.exe --webview-exe-version=3.0.0.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --display-capture-permissions-policy-allowed --js-flags=--ms-user-locale= --event-path-policy=0 --force-device-scale-factor=1 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3384 --field-trial-handle=1236,i,4574367226334843310,544793873166452381,131072 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2148
    - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView" --webview-exe-name=Zona.exe --webview-exe-version=3.0.0.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --display-capture-permissions-policy-allowed --js-flags=--ms-user-locale= --event-path-policy=0 --force-device-scale-factor=1 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3488 --field-trial-handle=1236,i,4574367226334843310,544793873166452381,131072 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2640
    - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView" --webview-exe-name=Zona.exe --webview-exe-version=3.0.0.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --display-capture-permissions-policy-allowed --js-flags=--ms-user-locale= --event-path-policy=0 --force-device-scale-factor=1 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3700 --field-trial-handle=1236,i,4574367226334843310,544793873166452381,131072 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1992
    - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView" --webview-exe-name=Zona.exe --webview-exe-version=3.0.0.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --display-capture-permissions-policy-allowed --js-flags=--ms-user-locale= --event-path-policy=0 --force-device-scale-factor=1 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4320 --field-trial-handle=1236,i,4574367226334843310,544793873166452381,131072 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3996
    - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\Zona\plugins\zbrowser\WebView2\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView" --webview-exe-name=Zona.exe --webview-exe-version=3.0.0.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --display-capture-permissions-policy-allowed --js-flags=--ms-user-locale= --event-path-policy=0 --force-device-scale-factor=1 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4236 --field-trial-handle=1236,i,4574367226334843310,544793873166452381,131072 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Zona\jre\bin\VCRUNTIME140.dll

Filesize
76KB

MD5
fe76f245300a488e20d4c707deb180c6

SHA1
34ff7e2bf27811196c0d0eaee177b2b9f1835700

SHA256
f1234ec1ff27a941524bc9fe00415698e6b4ee0ad0826ca06f4b92d83a739483

SHA512
e74c0c9348cb2212350a97e2e730cd8c763e08b04cc2525cc642d7a9e4166b253ffa31b95d839d976722fe70789e6286f1d867c6f73e2a646a5b6b3417a889f6

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
1cba516107ed68857615de261e8ea332

SHA1
7468b45b423e968302699f38aac62f7ced77ae9d

SHA256
ea7241a2973fbfc79263134f9799116bafc6762f02c979c8ca0e5fe5d789e2df

SHA512
3782ea6c476f565bcf644f751a38dbc2af233e638cefcbfe0d27cb103d40cde10a6243cf428b935ea881d0fa9f71a1195dcc2faa5bd6756b087fda0dc5e4cca4

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
248c14b0517d8f260113864f9d4370aa

SHA1
f8f0b81e6385000aeb5948cdcb69ca439b227d59

SHA256
51b6b3433c7bc86c2348f553e580a98de2f2c4d7b898ede8eb41e1a281894a6b

SHA512
192cffc4e5ca78ac16d421947312aac38418ddeef38cd819bd6e822e9c81826411fb1bffa16f11722a06700c1d9af891bc673e0c1eb06088ccb097bcf23a0e31

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
aa93fa26f1aef5a365d477810157f134

SHA1
7d2214604d8a194e6e58cc2de170eef23a1953f2

SHA256
64110a54ccac15294e62dcb88967f4314e0cc8154ff28814d3e516e7e888bb1c

SHA512
ec54ae0592c2849086f97d75ddcb2cdddb1d1823dd21f182b36617e5c645fedd6ccf17f58ce127a9d00dbbac649397207d7e90b67db8e846b69628e1e290119e

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
51f2d017dbd4e9c7ef65f9510c2ee0f9

SHA1
43327b02be364e22abf1d33f3772c9488a81bae6

SHA256
c6ebe0293eb8a7ea7c3c63396dc2c8fd3cab688b37e660c178a53ceb87b0006e

SHA512
bf2ef0483b4463d0aeed686d2771927414f6f2ae9c36d2296cb5ba447e5b06b68935dbd6cd26396913c265f0b98d22e18cc40f4840cc76410ea988e59a5cc932

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-core-synch-l1-2-0.dll

Filesize
12KB

MD5
9e7a4ff6abf92204fafd40e5e549375b

SHA1
fc3f4a6b9926f87c0671e006a4c0752eddc63f2a

SHA256
feded9577474a94514064ca3369eb5409190742dfea8ccbd1127269b0099e7ae

SHA512
054b2d3632fef9a7e410a2c48e1fd2fb14a57aada1e5e9ce9e6bacf76109cb4b1eb9263b7cbf11b56e91d90417b9957d587293ac43d039d6f0049b51e0d2bb72

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
3ea688107eb9df358e1b6be467fe1a97

SHA1
bc152eda4ec21429f8351673763e1ec19638f1c7

SHA256
e1dc6722840a42ed84b5b77b28edee58f9fff005f03445c8e93d204ca657ca4c

SHA512
7b39217419aba5ae7248a83e26fe626b1aedf1d2ef540ce29ae1d21090f12ac735c1e4563a53c81df2ff9f557f4edff2d9d7d6641be6cdd1277d54489bcab64f

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
ade506ca70c747ef433cbddb78f9b162

SHA1
468680f90a229d3d4ecc12d7c479fc212afaec7c

SHA256
1deab046feede8bcdae6720d7e25942c29504d02685c86cf6cb5a91802b89626

SHA512
04ab83b8f1315ed948c33ce4208ffc2c2857429260cb0980320b2374fb37789e107c0ec5b7f74355c567a469a33664c84921cf19292fafd9d3f5f2371cc20ba8

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-crt-environment-l1-1-0.dll

Filesize
12KB

MD5
6e6694ae6b210249f0b355b74c850fe3

SHA1
6333196dffbfa10c994f3f600843118d960d2157

SHA256
0327e5ffeb78cbbfd4884601c02eb26c35e8d96dc36ddfe4e1e94cdf26ae57ec

SHA512
e783736c76bbc9c7ee80645f220cab8c807efb98cf7eaca7546381b14f26a073ebb8a5a6b9e140cc0770254a2269b46ec86c5839c2fde17ffe7a1b79778d733c

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
203b134f522d3fbf4f2792dda2e62106

SHA1
63e26c92ccd0db522ebba0e81ab4f9a6fec9cdf0

SHA256
74c417a07604c538bc5db28b202835f61c90acc282d734a356b04681b494b7bd

SHA512
605d037ffd453a33bf1218ed417b130176c39eccb1a73221d6be4df24540d9778e3f582b35838d36b0e1503256959fc8477ed45d18477323e22a804df8bd77d9

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
b8588d48708d9885e4b8385061519930

SHA1
2a5420a984461de9d86f3706004b946f5dae2e3b

SHA256
6e772b4fb8434c622f564ffdd07cd962be13a9874f29e8bf35d4f92e521ad866

SHA512
a380bc1dee511ff16d070c6ffc95fa8f59ac7f6490181cc1b62bca600f498e4af1472ed9ac21c6badfc282054e8afef2119a9c2b7c6010ec25243f1ac94ed4c1

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-crt-locale-l1-1-0.dll

Filesize
12KB

MD5
3bc675ebd81bfb37a8167bd2b2813a1d

SHA1
d33ccd465831d25f70dfc7485ff1dbdf84fcb799

SHA256
dd8a2435789f1d156c143dc0dde7b8d679accc11902357b3e837a32825647942

SHA512
0fc8eb2bb481d112e324c41e32d9998bb4d126ac6e255ba3b8b558e046fec3212edf685bdb87075c94d3598ec5e8757dc11eed37c29551803fe5ff5d806b90c0

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
3093536685f5f8bd3f648b63bc971a2c

SHA1
aeda064a6995c7e4f8d2691a8cae0030ebd01836

SHA256
0cf28e2227b7b391f658b16fdff5e4b80a378089c6575a7ffc8f58e3938578d7

SHA512
7874fe710ec5eb09a65e5ee4e3640bcfeebd62287b728839a604599a935bb39de532d04c641775cadb0f465fbf6ecde872d2c8305bbf0dc35fa1462e9f6f45f7

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
16KB

MD5
3047c4354d2c3d78ef786ec7bbe050dd

SHA1
8cc7e3c028a383d4d749d167a3afb03d67c2ae2e

SHA256
897408a731cf29d2c887fb1ae0046d181ab9330904619af32362e5d88b92d163

SHA512
988d9a1c230e60319fca36e2dc6e024c3642e3517ba719b80fa5fd5459eabb0f557925c11ed14c267eb65a4f3553e0073524ead105e0045984063a2ed1350959

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
9ddc7416abe89872aa021de39005c456

SHA1
2a40a2521bb57c9837fda74cd19eba23cebf2a8d

SHA256
f331cf27359de88dbc7e019a2c16d8cfddb0116778f2630d25d0aaf51cb577bc

SHA512
202684579785f89e4b7ef1e827b7117fb53b61de0c9e3d7bf709f9f9a5ac545f441bbd283eaa68fbfa076cf011481c6d372416e84a9201d53df8e0036b20629f

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
652357dab923381bce03e04d5766e448

SHA1
63bae825ef3d065d5ace6981edd7acfa3d07e992

SHA256
94a1abc2ae935e73cd26e918abf2921934909c5f4582290b6307011393a035d7

SHA512
86078febd5bf65fb0426ef75df7935e0371d1f68f525b37f9de4b8872c57e275741567b2bf0f7f13c5f7aa1a1dc6c46990423f06f141a72c91ec0f0c184b1934

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-crt-time-l1-1-0.dll

Filesize
14KB

MD5
de05f32f5e4667b2e8d47a36a432c95c

SHA1
5f4834c4fe74e4bf4229505b9a88f9a7ee8aed6a

SHA256
e9a2078d9410be55bbb81d9c00f401ad768248ef30067e510a482f7e21606e44

SHA512
4281c05dc3d29b0b7fc6f681e38ab3940a041715d7fb27b07eb8de568226e36c6b1725f2ad4b80ff05e517e568a033e447a6afbde22b8e0795b2db21a049acab

Download Submit
C:\PROGRA~1\Zona\jre\bin\api-ms-win-crt-utility-l1-1-0.dll

Filesize
12KB

MD5
80d69698add15e6dfdc1b73784a89c76

SHA1
177c4a3a0087880f4e4d1d82e8ba45b4d9acaf87

SHA256
6b8d0041a5ee99128350e9c40961ef2eb34f9fe7bcf05dfde9fe8d674fef40b1

SHA512
9d11243d8d13cbde2358c5a25d02bd1e34b2d5b559bc9b6ba9f47e569180caae609a7b8812e76e2ad856c98c1014b648e49c4a069426556f8abaac0b9c4bf827

Download Submit
C:\PROGRA~1\Zona\jre\bin\jimage.dll

Filesize
31KB

MD5
68b0164b5368d713e4ce6a4ff452e9ca

SHA1
28c45a30fa6904331324ae16d51de235c5e36bd2

SHA256
485377c9a8b49667ff05cffc393b6b5a43ac140b93df2c0c49c6f5f399907b59

SHA512
371d5fed6c3598ff10a538ebbe7f1ae1283b25f4998f917de8e811eaee7f03e37096793b907259afc08fc0dce5ced7a1d5f97f9d69a234d11de51710b74117c6

Download Submit
C:\PROGRA~1\Zona\jre\bin\jli.dll

Filesize
83KB

MD5
81191c7171de4834a8585e89a19ebbc3

SHA1
caa6eea425e593a64490dd0968230c71c3828acc

SHA256
4713ed8352a3d8067d8f0cf8114e1a9f2e6d647c28b7a98b42c447826071a275

SHA512
28f6eee904c168c36b8b4737a73299f90fd1a55ac9760e64a4897a9a5d67ce701f1f08ad4f68171a2587345ff5470a1624b508d1e057ebf8ac33f67fe5f7fce6

Download Submit
C:\PROGRA~1\Zona\jre\bin\msvcp140.dll

Filesize
605KB

MD5
2964c1be4dda5d008104b1bf7e1f1063

SHA1
3f32ad324a2beb28e6c0470b84402af10cb5088c

SHA256
464396e151c3e8afccc606d03fa8f51a09691497906f9889be68577bc5d93cc9

SHA512
cc5cc51fdccc7e00c078297e4c921a86586773daeb0fa95a7e648f3310923218dcbe024af0607a5dad3268404e23d873f96e1f6e0577d40312cb32985decc201

Download Submit
C:\PROGRA~1\Zona\jre\bin\server\jvm.dll

Filesize
11.2MB

MD5
0e147edebeffaf9b0399726f0e9fa90c

SHA1
c2356c25e555083e2bca8a03973b2fdc3bf5a6b6

SHA256
e85a27e1cf5e776768055925b84e0751e7f6615c3f587936c10da30522170138

SHA512
39c5ba629ecbc4cfcfc6e9f71746208d85f4de4c187d96a2075dbd1f28eaf4286d61fb5e6cc3d52e7b6090acc7e2d0b2eb6b647024586c1474e2dd9ffa8da3cf

Download Submit
C:\PROGRA~1\Zona\jre\bin\ucrtbase.DLL

Filesize
986KB

MD5
4ff96229c04d2739ca886365fea47a58

SHA1
9b405cf50054e565b267be2e07f07030d5696e30

SHA256
f4cbce286aa0d95045ba1e699022133ee6dd19e836656b3e342ef2cd580bdc80

SHA512
9c92161f0e5fef6355a19ba7fe08f42439429b87fd4115519debb4b58197392ea5cfc7ac9cfc4bcb0b6f8541d37e5cb33e373bee9e012d9ef59d51b5e31a1053

Download Submit
C:\PROGRA~1\Zona\jre\bin\verify.dll

Filesize
52KB

MD5
d155e2311c97f2c17c05281286ef76ba

SHA1
2de5340ef42ca917564798bcbb2b6c10d166be70

SHA256
86c07525b8711d13872ff00b115b11bffe6d144969e0f957b4046309f40c950b

SHA512
34d98bdbc3640592db61cfb2703d4c4311dc1dd64ea35e569965bdfaac7e6bb6c348851b3b39dee8a6e4442a02d4dfb94fdd2c334d1e41e8cfb3c90435c880bd

Download Submit
C:\PROGRA~1\Zona\jre\legal\java.logging\ADDITIONAL_LICENSE_INFO

Filesize
49B

MD5
19c9d1d2aad61ce9cb8fb7f20ef1ca98

SHA1
2db86ab706d9b73feeb51a904be03b63bee92baf

SHA256
ebf9777bd307ed789ceabf282a9aca168c391c7f48e15a60939352efb3ea33f9

SHA512
7ec63b59d8f87a42689f544c2e8e7700da5d8720b37b41216cbd1372c47b1bc3b892020f0dd3a44a05f2a7c07471ff484e4165427f1a9cad0d2393840cd94e5b

Download Submit
C:\PROGRA~1\Zona\jre\legal\java.logging\ASSEMBLY_EXCEPTION

Filesize
44B

MD5
7caf4cdbb99569deb047c20f1aad47c4

SHA1
24e7497426d27fe3c17774242883ccbed8f54b4d

SHA256
b998cda101e5a1ebcfb5ff9cddd76ed43a2f2169676592d428b7c0d780665f2a

SHA512
a1435e6f1e4e9285476a0e7bc3b4f645bbafb01b41798a2450390e16b18b242531f346373e01d568f6cc052932a3256e491a65e8b94b118069853f2b0c8cd619

Download Submit
C:\PROGRA~1\Zona\jre\legal\java.logging\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\PROGRA~1\Zona\jre\lib\jvm.cfg

Filesize
28B

MD5
4006564666795c838eed8b7fd958b0af

SHA1
cd6d4f2868725ef7541485719c6ea88d05e43724

SHA256
54ac5bb838f64585085f6c04b73431a96b9246cc0090943c48b067ab05086180

SHA512
87643b6f1da35a9a60869ef1f68141b3e4225fc65b256f31f7289c854d0e929e587ab572d4f67f2802aea89958b3a45a23c83bcc60c6b30613c87021ef537b03

Download Submit
C:\Program Files\Zona\Zona.exe

Filesize
673KB

MD5
7400c762229fdf630a31633bba14183f

SHA1
be27cca34dc8fa8dbbd1a5ec6e3b475eb8a0a0d1

SHA256
45af8f5e163fe781bcf06bd885c6d531e293385c375400aa3514ea8e0f68bf62

SHA512
ab6c726fa01fdd3b8f325a2d4ae447ffcf3b91adc3042da0a1bf03ab8c1ad0029dab7ba784d876947c67ddb97c5f5345630dd5877a6e05f5dcb671e7b8f07970

Download Submit
C:\Users\Admin\.swt\lib\win32\x86_64\swt-win32-4952r11.dll

Filesize
755KB

MD5
a7c9f20fbe1163e8a5c5ed85cf197ee9

SHA1
3981998aa1257f01bf67b5881bb4e992ec0b7a03

SHA256
41863fae02e68d0bc2c5fde086ca54e0c60f6897643f98216d4df3b6727f3617

SHA512
efb0c58f26507b8907eeb09fe8ad60c4fe27cc4eff11923c43b1255e0ce1a3279526d68dc5dfd03878789d735d683581a99725093bb0691659553f3024a20bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1779.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar178B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
fcc49409d425ca7ae85552911f149fc7

SHA1
d2ec2259cb686d88fbe882957741ffb58e967276

SHA256
3e70613d14cbbe2bade0d87da9b20dbb5860ef971d2d65ee752c0cf217d8d710

SHA512
78692c6e527bd31ca02fb372e3e44aa4ce1448b704fed9905729607d797896a2b18d2261ebc4c8a7f7600c0db8963723257c6720082347c0cfcf869bf44f8cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
638B

MD5
3b1771f75d60dba1bfa7ea58689c2c39

SHA1
cd2fcb9deb28241cf0ae2ee743f08ba9d24d151a

SHA256
673963b31360c701f9b7f39a7ea1f05b675ecf5b29203d76edfbd075520a5586

SHA512
8dc0cb950d5783512242d4b7268c2e3df48656975e23d76c535ff39e6be82e8fa9f023278db3aafba03cada15317f50654c4d5564a78e891737457b69621dd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
880B

MD5
0c0dc03e8616f69dea0c170b7f3f6836

SHA1
e2100a500f384917d7f9fbc9e9cb150505f3d583

SHA256
6c7c76d24bfa5a04b9cb1e9e32ee8c592ac1a1aa90cf3b0bc87664bc219e1322

SHA512
c84a58bb6ff829852c1c8d0fb1d4889c5c5a7f53eccb2faf0dd92c63ff3c3d73481b59ff6d6be9fef3ca292c04e695e359bb1507409452dd43610f6de076ad59

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView\Crashpad\settings.dat

Filesize
216B

MD5
a02e24753acba8f138b8ab2b5eb963e2

SHA1
2dc61c0e6c804e323009c5382b4ca746fcb132f0

SHA256
920dbd91af54b4fd0ee9e52301023d3b44d783f99feab47a155bd6d8462ac4f3

SHA512
e1bf009def3dc533f7e0900eb060725960cce3d1f0e448009aef7f539ea65e0391bca5ab95197ae381193cf9f17cef1bf226a2773f4391b156b5f62e3c94bb67

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView\Default\016ad907-b2e4-4cef-95df-23b09253bc5e.tmp

Filesize
6KB

MD5
44dab0784b0fe9bc936b28b054620a81

SHA1
20d3afa6e4a7934558e551a6f1b15022ddcc10a2

SHA256
39fa06d49c8c72a9a99ccc862d1fe1a5f253458fbd604bdb839ba1cd27a0aa18

SHA512
4987caf635a7502ae4759209224da6eca9c449fd9b3993a99aba4d5a34dac865efd6db66559fa7a9fd7bf34577602698a3c069b40227f86b8d2d082a644a66e3

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
f8db7ba8a9620a4b15ce76b126088000

SHA1
006fcbcccd7bb93a909ede635e813a4acdaad7c0

SHA256
212d704f7ae6e753cfb40444d57b96e913fe23f16e3ae5a864be64f7e7f640cf

SHA512
ffec3701f47eca1516e9525f19e057150b322e737814bbbb0b298105e85dd9adb9074f63fd0ab7dce960d809855041354e0a3b682b48b00ddada04f1374f8b92

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView\Default\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView\Default\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView\Default\Extension Scripts\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView\Default\Site Characteristics Database\CURRENT~RFf7713fe.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView\Local State

Filesize
1KB

MD5
c65f517c6197e741313de8a9f818feca

SHA1
dc17478fb6ae3562e5c31a6628356f4605527fc4

SHA256
ee27ecfc9e28f6c8daf2013f4bb716dd9cd1a29dba854dc118c6f400ae6f36a6

SHA512
29b94ea617ae383ce7e2a4dd71b90d49a1ab4a2dcdaf04288686c9f6c0e5775a2bd35edb86160478f88115cd8207bc68eaf905b96c856dfb03b0226137e13248

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\WebView2\EBWebView\ShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\launch.log

Filesize
1KB

MD5
191020054b83ffa854cf300caffd5600

SHA1
e9b3e24e0d91a5e6813cbc21cc149b3552fc2cb8

SHA256
1117b3fe88822eb7b761f12f8cbdb5496c3068d038868193e28f91e8d58b12fd

SHA512
30155f51fa641d6755189d9b45b0282535b16d6fc1329793b379611dfcbda7ae99df2fddde75424ba4d62bfb78b16d292cc569a3cb6f24a5198488b9eac7a46a

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\launch.log

Filesize
3KB

MD5
e771c6a5e99714ff4a3e527d9b989826

SHA1
3a9db38b8a46fee6375c4624b32c3374efabf39b

SHA256
937571872b8746f06076501640f4211b6e573824154ec17c3608af0b52b0c283

SHA512
3745cb72ef8e196fd4118b06cd86a043c50d7fd2fa43d2d35bd05ab8cfa25e1de2c8de9e2d17b97f0fd0e6053536aba06f0e4959e1b443a72b198375a14a18c5

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\launch.log

Filesize
3KB

MD5
7ba3a7dff83f35fb1fc5184f3909453c

SHA1
6fd775eeb16d979a6fa2964b3d44bb262cbfacd2

SHA256
c86569cf4c9fad296d3680ddd6becd5f8528980e9d59e1827581a28d4236977e

SHA512
488b901dd2f9654a6c0fd4a68f183332b602dad92199d50e7cfc92f12a315aedf6f6b3c492916c5dd8da353101c7cb6bfebf4bc5ad6b6c1383bbf838cec34c3b

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\launch.log

Filesize
4KB

MD5
43f170988742e42d961edaffaa6a761b

SHA1
c01837fdd6897333781d4a6d951ff9a1ec3a315e

SHA256
12af2aae3efdb23ee9e4ac4c2cb0c20a07b41d96b46e69799569c85d0ddee004

SHA512
2c8f45f8336d10d7c599c5875e87c1264f9244a87702d826849c3f0b2e33e2408bab85f8c9a9c31d6671c072320c6c0c4271aa3f8936a893aa521bb64b1ed16c

Download Submit
C:\Windows\ZonaUpdater.log

Filesize
661B

MD5
f75e164fa9d20c8dc405ca62b9e47479

SHA1
a6d8243c95eadb363f7816254563897bae190810

SHA256
54b7aabfba073bc16af41b3a777d84b0be96e70b48235203ae0fe3c14ed230be

SHA512
9f3a8facf94b3881d3c9068238fbd5398414255949d9718980281dee80533f5b32578812c0c38f7de72203d98eec38c2eb929ec1c62e13fcf74af794ba625052

Download Submit
C:\Windows\ZonaUpdater.log

Filesize
2KB

MD5
68d3289c7d6ccfc4c6200c7c25f5bd3c

SHA1
75be5fd4251f49a78a7e9503edf457526345a84b

SHA256
9766148a25165874f5eee318b7baaa874802f5eb6292829ac14c4eea2656f7c6

SHA512
ff6e609037cafd23f0985bd1f1066a1f89d5b1e1125834fa5520380c386040aeac4f8d8388fc414abda16be2cd12cea362e03e7da2de8a6321d8d7f7953bb6c9

Download Submit
C:\Windows\ZonaUpdater.log

Filesize
3KB

MD5
1575165dc817f070b1a6926133dd831b

SHA1
d324f29b9bcbd4d5f9d0ee1c7a9794f41302e2a2

SHA256
12d9668cd65bc479ea8bddc48f4dd8881e24e9b409f3d1b818ae2538109d9960

SHA512
db09b3920dcaab7afea4a510ba8906775893d4e023621324628f998e89cc19b1c1bf496bba547af8b48cb932773c76b6bb1b2c9305b8af8cf2a5b886a37c1e55

Download Submit
\PROGRA~1\Zona\jre\bin\java.dll

Filesize
151KB

MD5
a33ee9d70a943ed357ef1a6f2f63ef2c

SHA1
c749fcdaefe26ebc693e412c8a72eab478286f39

SHA256
a0cfc3c274018a0b92d31508950b52da6f55a446027a8aad2c203b9bc5f2d7bd

SHA512
0fc96ed792d0500960433cf26cdb9c9f177592056cc232cc050425a871d1dde04a79ff7a5e96a0b092be65fd64a9b6944758fe041cd4843ebe319e6569985443

Download Submit
\PROGRA~1\Zona\jre\bin\java.exe

Filesize
46KB

MD5
75c9f9aa8b2dea4b9792a783e3146dba

SHA1
e3d0f18744378a2c20c296b50e8d07b3b48aae10

SHA256
93d33fbed240395273a25c7e0b4c25843932f36f6e665c708892f32ed52359a3

SHA512
64d1bf9eda4ffa6122fcf9063035dd64a607926a4f099e6f85cbcb249c550e9d87cc384ee52fb87f860f9556ab0df498b1062b3addc5c12fba5636e095911cbb

Download Submit
\PROGRA~1\Zona\jre\bin\javaw.exe

Filesize
46KB

MD5
ae78e7f4f3b704aa806b9d112d500895

SHA1
b54ea3997fc07d4b479384a05ceb5ef629801efc

SHA256
99803fd5ba7d5d8e96b74e69dddf9ac31c54cf09a2db936ba6b2b7c9646153ed

SHA512
c9772fb5229dc5d148e6fdef391cd2bd371b2cc241ade4ad1fd37468d39b3fd1e7f59534341f8b053db744dac428de6e27229c8ecab880e060030ddc069d779d

Download Submit
\PROGRA~1\Zona\jre\bin\zip.dll

Filesize
82KB

MD5
83aa2273462019c5f1d8fabf09beb125

SHA1
5b481d8611030e960a6f4d334b023b9856ae7e0a

SHA256
532890eb323ae8e82f8e401e79d8cabf36e43da66682bed46b31fb919d11e2c5

SHA512
7841ea0e6f697c39bfa9aa89bb4db404d7285142320a127ca6d8b0798f60ad3163fa5e281417b21a87031aab81c89d43634a3807b414f22083c84713db170d7a

Download Submit
memory/1500-1448-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1500-1481-0x0000000076C90000-0x0000000076C91000-memory.dmp

Filesize
4KB

Download
memory/2544-1118-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/2544-1119-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/2544-2180-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/2544-2179-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/2928-1611-0x0000000076C90000-0x0000000076C91000-memory.dmp

Filesize
4KB

Download