4764436f3dcd75d3d3ab691107059eee1b541e73e15350cd412058aa05b67fd4

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
Size

129KB
MD5

28f17039154eb14be3a39797c1f7df78
SHA1

ef26a4fb11b1af0802c01e5682947bae1f83cd48
SHA256

4764436f3dcd75d3d3ab691107059eee1b541e73e15350cd412058aa05b67fd4
SHA512

0270f81b992990caf43a9166ce3647d1626ee3e0422526f992d8251c33201e275053f4ffec3a876e4b98ce14dc42bbec7dac012e529dd7a5c098f6e5038c1e71
SSDEEP

3072:COiyDxsHWq7IVNuutVY4t3hMafrZknlOwzmwNCdscout0QtI:xDDxsHnIJVY41hx9wtCdscoS0QK

Score

8^/10

adware discovery persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 10 IoCs

pid	Process
3000	javaSetup.exe
2344	jaureg.exe
568	Zona.exe
1852	Zona.exe
2980	ZonaUpdater.exe
1192	ZONAUP~1.EXE
2352	Zona.exe
2876	Zona.exe
1876	Zona.exe
1652	Zona.exe

Loads dropped DLL 37 IoCs

pid	Process
2816	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
1740	MsiExec.exe
2360	MsiExec.exe
1084	MsiExec.exe
1084	MsiExec.exe
3000	javaSetup.exe
2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe
2980	ZonaUpdater.exe
2980	ZonaUpdater.exe
2980	ZonaUpdater.exe
2980	ZonaUpdater.exe
2980	ZonaUpdater.exe
2980	ZonaUpdater.exe
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe
2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
2876	Zona.exe
2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
1652	Zona.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zona = "C:\\Program Files (x86)\\Zona\\Zona.exe /MINIMIZED"	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
36	1088	msiexec.exe
38	1088	msiexec.exe
39	1088	msiexec.exe
41	1088	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	MsiExec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
77	checkip.dyndns.org

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2224-0-0x0000000001100000-0x0000000001150000-memory.dmp	upx
behavioral1/memory/2224-28-0x00000000010A0000-0x00000000010F0000-memory.dmp	upx
behavioral1/memory/2816-29-0x0000000001100000-0x0000000001150000-memory.dmp	upx
behavioral1/memory/2224-47-0x0000000001100000-0x0000000001150000-memory.dmp	upx
behavioral1/memory/2816-53-0x0000000001100000-0x0000000001150000-memory.dmp	upx

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre7\bin\client\classes.jsa	javaw.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaucheck.exe	msiexec.exe
File created	C:\Program Files (x86)\Zona\License_en.rtf	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zona\swt.jar	javaw.exe
File created	C:\Program Files (x86)\Zona\torrent.ico	javaw.exe
File created	C:\Program Files (x86)\Java\jre7\lib\rt.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre7\lib\plugin.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre7\lib\jsse.jar	unpack200.exe
File created	C:\Program Files (x86)\Zona\uninstall.exe	javaw.exe
File created	C:\Program Files (x86)\Zona\Zona.exe	javaw.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	msiexec.exe
File created	C:\Program Files (x86)\Zona\License_uk.rtf	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zona\zreg.dll	javaw.exe
File created	C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar	unpack200.exe
File created	C:\Program Files (x86)\Zona\utils.jar	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zona\Zona.7z.tmp	javaw.exe
File created	C:\Program Files (x86)\Java\jre7\lib\javaws.jar	unpack200.exe
File created	C:\Program Files (x86)\Zona\Zona.jar	javaw.exe
File opened for modification	C:\Program Files (x86)\Zona\Zona.7z.tmp	javaw.exe
File created	C:\Program Files (x86)\Java\jre7\core.zip	msiexec.exe
File created	C:\Program Files (x86)\Java\jre7\patchjre.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\task64.xml	msiexec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\deploy.jar	unpack200.exe
File created	C:\Program Files (x86)\Zona\README.txt	javaw.exe
File created	C:\Program Files (x86)\Zona\ZonaUpdater.exe	javaw.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	msiexec.exe
File created	C:\Program Files (x86)\Zona\License_ru.rtf	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\task.xml	msiexec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\charsets.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar	unpack200.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7164.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f776d76.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI867E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8846.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f776d73.msi	msiexec.exe
File created	C:\Windows\Installer\f776d78.msi	msiexec.exe
File created	C:\Windows\Installer\f776d79.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87C6.tmp	msiexec.exe
File created	C:\Windows\Installer\f776d7e.msi	msiexec.exe
File created	C:\Windows\Installer\f776d73.msi	msiexec.exe
File created	C:\Windows\Installer\f776d7c.ipi	msiexec.exe
File created	C:\Windows\hsperfdata_Admin\1028	javaw.exe
File created	C:\Windows\Installer\f776d76.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f776d79.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f776d7c.ipi	msiexec.exe
File opened for modification	C:\Windows\ZonaUpdater.log	ZonaUpdater.exe
File opened for modification	C:\Windows\ZonaUpdater.log	ZONAUP~1.EXE
File opened for modification	C:\Windows\Installer\MSI705A.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZONAUP~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jp2launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaureg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZonaUpdater.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "5361408"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	MsiExec.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_65"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0052-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_04"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0036-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0085-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBC}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F60730A4A66673047777F5728467D401\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0045-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_15"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_01"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_30"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_17"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_16"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0082-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_13"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_64"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\JavaPlugin.10802\CLSID\ = "{5852F5ED-8BF4-11D4-A245-0080C6F74284}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_29"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0050-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_50"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_31"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	javaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	javaSetup.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2420	jp2launcher.exe
1088	msiexec.exe
1088	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3060	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeSecurityPrivilege	1088	msiexec.exe
Token: SeCreateTokenPrivilege	3060	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3060	msiexec.exe
Token: SeLockMemoryPrivilege	3060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3060	msiexec.exe
Token: SeMachineAccountPrivilege	3060	msiexec.exe
Token: SeTcbPrivilege	3060	msiexec.exe
Token: SeSecurityPrivilege	3060	msiexec.exe
Token: SeTakeOwnershipPrivilege	3060	msiexec.exe
Token: SeLoadDriverPrivilege	3060	msiexec.exe
Token: SeSystemProfilePrivilege	3060	msiexec.exe
Token: SeSystemtimePrivilege	3060	msiexec.exe
Token: SeProfSingleProcessPrivilege	3060	msiexec.exe
Token: SeIncBasePriorityPrivilege	3060	msiexec.exe
Token: SeCreatePagefilePrivilege	3060	msiexec.exe
Token: SeCreatePermanentPrivilege	3060	msiexec.exe
Token: SeBackupPrivilege	3060	msiexec.exe
Token: SeRestorePrivilege	3060	msiexec.exe
Token: SeShutdownPrivilege	3060	msiexec.exe
Token: SeDebugPrivilege	3060	msiexec.exe
Token: SeAuditPrivilege	3060	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3060	msiexec.exe
Token: SeChangeNotifyPrivilege	3060	msiexec.exe
Token: SeRemoteShutdownPrivilege	3060	msiexec.exe
Token: SeUndockPrivilege	3060	msiexec.exe
Token: SeSyncAgentPrivilege	3060	msiexec.exe
Token: SeEnableDelegationPrivilege	3060	msiexec.exe
Token: SeManageVolumePrivilege	3060	msiexec.exe
Token: SeImpersonatePrivilege	3060	msiexec.exe
Token: SeCreateGlobalPrivilege	3060	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1852	Zona.exe
1852	Zona.exe
1852	Zona.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2420	jp2launcher.exe
1852	Zona.exe
1852	Zona.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2688	2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2688	2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2688	2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2688	2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2816	2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	33
PID 2224 wrote to memory of 2816	2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	33
PID 2224 wrote to memory of 2816	2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	33
PID 2224 wrote to memory of 2816	2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	33
PID 2224 wrote to memory of 2816	2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	33
PID 2224 wrote to memory of 2816	2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	33
PID 2224 wrote to memory of 2816	2224	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	33
PID 2816 wrote to memory of 3000	2816	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	37
PID 2816 wrote to memory of 3000	2816	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	37
PID 2816 wrote to memory of 3000	2816	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	37
PID 2816 wrote to memory of 3000	2816	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	37
PID 2816 wrote to memory of 3000	2816	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	37
PID 2816 wrote to memory of 3000	2816	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	37
PID 2816 wrote to memory of 3000	2816	28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe	37
PID 3000 wrote to memory of 3060	3000	javaSetup.exe	38
PID 3000 wrote to memory of 3060	3000	javaSetup.exe	38
PID 3000 wrote to memory of 3060	3000	javaSetup.exe	38
PID 3000 wrote to memory of 3060	3000	javaSetup.exe	38
PID 3000 wrote to memory of 3060	3000	javaSetup.exe	38
PID 3000 wrote to memory of 3060	3000	javaSetup.exe	38
PID 3000 wrote to memory of 3060	3000	javaSetup.exe	38
PID 1088 wrote to memory of 1740	1088	msiexec.exe	40
PID 1088 wrote to memory of 1740	1088	msiexec.exe	40
PID 1088 wrote to memory of 1740	1088	msiexec.exe	40
PID 1088 wrote to memory of 1740	1088	msiexec.exe	40
PID 1088 wrote to memory of 1740	1088	msiexec.exe	40
PID 1088 wrote to memory of 1740	1088	msiexec.exe	40
PID 1088 wrote to memory of 1740	1088	msiexec.exe	40
PID 1088 wrote to memory of 2360	1088	msiexec.exe	42
PID 1088 wrote to memory of 2360	1088	msiexec.exe	42
PID 1088 wrote to memory of 2360	1088	msiexec.exe	42
PID 1088 wrote to memory of 2360	1088	msiexec.exe	42
PID 1088 wrote to memory of 2360	1088	msiexec.exe	42
PID 1088 wrote to memory of 2360	1088	msiexec.exe	42
PID 1088 wrote to memory of 2360	1088	msiexec.exe	42
PID 856 wrote to memory of 1680	856	javaws.exe	53
PID 856 wrote to memory of 1680	856	javaws.exe	53
PID 856 wrote to memory of 1680	856	javaws.exe	53
PID 856 wrote to memory of 1680	856	javaws.exe	53
PID 856 wrote to memory of 2420	856	javaws.exe	54
PID 856 wrote to memory of 2420	856	javaws.exe	54
PID 856 wrote to memory of 2420	856	javaws.exe	54
PID 856 wrote to memory of 2420	856	javaws.exe	54
PID 856 wrote to memory of 2420	856	javaws.exe	54
PID 856 wrote to memory of 2420	856	javaws.exe	54
PID 856 wrote to memory of 2420	856	javaws.exe	54
PID 3000 wrote to memory of 1612	3000	javaSetup.exe	55
PID 3000 wrote to memory of 1612	3000	javaSetup.exe	55
PID 3000 wrote to memory of 1612	3000	javaSetup.exe	55
PID 3000 wrote to memory of 1612	3000	javaSetup.exe	55
PID 3000 wrote to memory of 1612	3000	javaSetup.exe	55
PID 3000 wrote to memory of 1612	3000	javaSetup.exe	55
PID 3000 wrote to memory of 1612	3000	javaSetup.exe	55
PID 1088 wrote to memory of 1084	1088	msiexec.exe	56
PID 1088 wrote to memory of 1084	1088	msiexec.exe	56
PID 1088 wrote to memory of 1084	1088	msiexec.exe	56
PID 1088 wrote to memory of 1084	1088	msiexec.exe	56
PID 1088 wrote to memory of 1084	1088	msiexec.exe	56
PID 1088 wrote to memory of 1084	1088	msiexec.exe	56
PID 1088 wrote to memory of 1084	1088	msiexec.exe	56

C:\Users\Admin\AppData\Local\Temp\28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\28f17039154eb14be3a39797c1f7df78_JaffaCakes118.exe" /asService
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3060
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\AU\au.msi" ALLUSERS=1 /qn
      4⤵
      System Location Discovery: System Language Discovery
      PID:1612
  - - C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
      "C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.7.0_80-b15
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2344
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\Zona.7z" "C:\Program Files (x86)\Zona"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\appdata.7z" "C:\Users\Admin\AppData\Roaming\Zona"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2104
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" /copydll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:568
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" --readInitFile
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1852
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2492
- - C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZonaUpdater.exe
    C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZonaUpdater.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2980
  - - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
      "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\zupdater.ext.jar" ru.zona.plugins.zupdater.ext.Main update
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1028
  - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZONAUP~1.EXE
      "C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZONAUP~1.EXE" /asService /logPath "C:\Windows\ZonaUpdater.log"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1192
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:760
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" /copydll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2352
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2504
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" --readInitFile
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2876
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1224
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" /copydll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1876
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1948
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" --readInitFile
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1652
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2560

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 15DDCE0EA8E917037D5E38A38C47DFA7
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1740
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2ED057DC7438DB22F3762932C8574AB2 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2360
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"
    3⤵
    - Drops file in Program Files directory
    PID:2052
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"
    3⤵
    - Drops file in Program Files directory
    PID:2024
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"
    3⤵
    - Drops file in Program Files directory
    PID:2300
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"
    3⤵
    - Drops file in Program Files directory
    PID:2240
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"
    3⤵
    - Drops file in Program Files directory
    PID:2228
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"
    3⤵
    - Drops file in Program Files directory
    PID:352
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"
    3⤵
    - Drops file in Program Files directory
    PID:2800
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"
    3⤵
    - Drops file in Program Files directory
    PID:1652
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Program Files (x86)\Java\jre7\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
      "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator
      4⤵
      System Location Discovery: System Language Discovery
      PID:1680
  - - C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2420
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DC8133A063DFC4911073A359CFEDB21B
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f776d77.rbs

Filesize
9KB

MD5
644ad291fd8a2835da8a2ac2eb2fdfa4

SHA1
fc73c0c63df9d295b9a11024af33f66b351ba86a

SHA256
8142f6430e01331e466b95e96a59b45094f662ac0c1aac8d320111b6cdbdda20

SHA512
477e3ef27c9d885fdb1e02dd2396cca4ae854777de2b51cb3c7e13e812f237d5acab52aec7ec2568bf37cdc72dbe03bceb9689a8459926a87e8be9c0d8445c61

Download Submit
C:\Config.Msi\f776d7d.rbs

Filesize
8KB

MD5
d09ab4389afb3a55bc29abaa3f787d65

SHA1
8e62fc2fcb8503e6cb6d14117d44cb9b50978c83

SHA256
0c8980945ecd39f378c4a3187e74e93dd3e0b6acd90c835b44161bd4cfd0e188

SHA512
bed53f241de998debd18271ed339c4720c4a361068a59d4bb12301c764fa81ebe9d59098ee7a627ba227d77da10a8bf9c3ebb561f9ade68ecca6f973fb4fafcc

Download Submit
C:\Program Files (x86)\Java\jre7\bin\client\classes.jsa

Filesize
13.1MB

MD5
79e0200d91deb57981166ce3a2f60688

SHA1
f50dc37424e9b7ac4ac0b6d624ae05c8276699d0

SHA256
4f43ca6b809b8f99c2b2b067883bd06aec71283fb5686c966752e8a90ec3b677

SHA512
e53ea9bfe92538688727dbfd3f8bd4f4f6f7ac23d1432b83d99080750c428e424ae63f38fcc2117b00c00f5097e92a90258bcde6b2d927ae72c38ca5a625fbbe

Download Submit
C:\Program Files (x86)\Java\jre7\lib\charsets.jar

Filesize
3.4MB

MD5
3f080df73b2d7cad61bddcf709aadc72

SHA1
616e9ec760722737f38213f43755131f836dd627

SHA256
dd213d0867714191e351f589dc709d6f3cafee819aafda8f8fe022d367ea189b

SHA512
733b65d3662f2eb9a8f64212e306d934929a05fd753040073f7e2769df77791c29aef9e35610b7b22597bbea6d805a8e04f93235fe761bf6bd5c5733c867025b

Download Submit
C:\Program Files (x86)\Java\jre7\lib\deploy.jar

Filesize
4.5MB

MD5
77b802d823d51ad8aa299e414e114004

SHA1
241c8b59e6fbf4fcdfe790264415ed2bf1af2206

SHA256
ccf285a0bcce9f79f74180f4767c2dbffccb52c8c2fd05c0e3669708ee6d60a5

SHA512
2d5b902eff2cf83820eae3e73b9a31745376e612e2cce5564f5cc38fb5506e83ec91e6073d4ed47ec6d9d9abf3f171652db72889fc6b8222bb09668689be2e6d

Download Submit
C:\Program Files (x86)\Java\jre7\lib\javaws.jar

Filesize
882KB

MD5
77187a69d58b89201466a53e6875f8ec

SHA1
0fdbbbe09e58a46948e5132c3d3207e43ec94daf

SHA256
3d3672969e99ebb2aa54bc6f0a8e6714c754038d3f2e664822c971209d35307d

SHA512
a9aa997232e5afc7fd2f989e9f05e7743f729e66d61aa59bd3ba0276b1874a4cec05851ab4f513e873ca96b7436dfc40f902e92a4da4d12ff120d065289912f0

Download Submit
C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar

Filesize
12.9MB

MD5
100e636bb4ccfa983dbcfcb5480ba8b3

SHA1
8750dca02791375555054cf81252f4c5e276a042

SHA256
d58af7d9df8e2509ee36ba0d4f9f198b7121fe806f663092d969c39c97a21120

SHA512
2407523c9af09be10e2a8544e7e32019ebc0e381ca2b2288e43cf2b988633272ebfe0acd6bebae51d6b9d8f91b3ea8e5823bcc0c9b696d416ccb5e083a8a236a

Download Submit
C:\Program Files (x86)\Java\jre7\lib\plugin.jar

Filesize
1.8MB

MD5
d1629dd609f3f1be02e254a64b4c259f

SHA1
091fc2be38c41368fb92d9e42e2dcab6c70b5be9

SHA256
3cb132271e9005087bb25e183a69a2b71966e70e98de2c8a86518f841471218a

SHA512
505af490b14bbdf9c9e4e078a7885dcb0f52a1cdfe1b603ba709305216faa9b60275f947c4757779d2bf34ecac6fde927f6c0b9d2b98619b7edb0f0ebeba8bf1

Download Submit
C:\Program Files (x86)\Java\jre7\lib\rt.jar

Filesize
49.4MB

MD5
bac77d8d145bd553c7efdf7978d9dff0

SHA1
31da52beb0237a6ffd6ebc4a766d92f12a226fb6

SHA256
a85b24d93ceb6095691838dda51d31bc5e8dc94663514b46c48d7c41d351aad2

SHA512
2aabc1986338a68cdecf6d46afd6492a90940d9412bf8f7ad7c6183091403a784244ecf1007dc3875a892c0b1c2557f5de31f387011ca8db657f4367f5fc86ba

Download Submit
C:\Program Files (x86)\Zona\Zona.exe

Filesize
1.5MB

MD5
36420c8fd3da665b877922285fa7a9aa

SHA1
177dec7fbda2393acdf60cf82eb90b644124d10a

SHA256
bfe1e4c4af9ebbdac70af95af1c6c286d5cfc5b5dd40bd60206197eac001a5a9

SHA512
7a5a075b38e951c1ac187215a75d94d859b782ed9ddcde6078ddf6d484c5382f9a46e7a804db020cd923d45a23657bf5e54b661e1c1089047befa70125ca4958

Download Submit
C:\Program Files (x86)\Zona\Zona.jar

Filesize
20.5MB

MD5
69e118af2dc21ce84baf781b53e2b872

SHA1
cd3c3846f5d4feff41e7218fb76364af2e7eecc8

SHA256
e12c3462a65f5e67a4602f24faf0f75854ccbef95812741f1cd551bb343f735d

SHA512
ca052d398a0a1d14a6ea93f704d30f863f3d0db5d958b304e3e0f15c012719d95f04bf94286fba43a5fc6160bc4fde855179e03625d456b6476c30895a749a47

Download Submit
C:\Program Files (x86)\Zona\swt.jar

Filesize
4.0MB

MD5
16c993b2fd84c9b943745f5cc79b8463

SHA1
46d982d35acb4469fa65418168cd47717982d6cd

SHA256
2d251c65f6fca0ded2aeffd98a7a4c6f49f51ad4ca436bb0ae35d08f22765cf1

SHA512
46d4ff0046865aa36d8e1cf1be57a50c16d7ac4434ba695078f6ecc5d52c0e8d0b37b9ef144a91864973936838123d5b0423029f193c30f06e57bb564a557f4d

Download Submit
C:\Program Files (x86)\Zona\utils.jar

Filesize
28KB

MD5
588b2034783f7a9f9a676b5b05e4761e

SHA1
08958944bcc5282e3c43e2cb56fdf35dcec232a3

SHA256
519c51ee832761160864adae65e3ffd2c7dbe8280375cd0957926e980cbf6fa3

SHA512
55158bba1f9cf1485a8320d59d1f0be88660ff391d50ac5a511a7be077b3ea8e82917d99f31a0f5ae20233d203a9546ff962550257433fc4dee1cd39ade8e93e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c54b4e093b056e68307de6c0a885000

SHA1
c1557937a978e5dd8b9621411a958824fc0c39c3

SHA256
48bd9b466b082723367a23d5c963284d34a6185b23396c75940fca76672d089a

SHA512
782af1003143e72997e56c2829b10ef476d7c09d33c8d12a84ca5f24038bf95f3ea3be41f4d7be9c5debfe7dd581feb65ce9d3436441cbeaf4de7baa6dead832

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9191750fad50878e6d5c6c0ea648e305

SHA1
648a9d4f31d05d77b2445747900aae7eb9bc4679

SHA256
d094d6c1059afcd54d417bd42f4aa49b9475ce88a35831144a05bc8618ec3cef

SHA512
2035c22df6f23e7643453c0d95f44b78c25d4cf582fe9f4d22f8b2d36a020322a83620f8c4829e4fb3ec7b857bd32ce7351901f2b97ddf5f864eafd3aab39f5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\AU\au.cab

Filesize
588KB

MD5
5faca38c639cb2a317ca4280d0cf27bc

SHA1
2e7fb7cf0e30e5417a27fc8c13d280ff1d7b4605

SHA256
ad2aa0b273965408879e44ed8f9ed9a017facf6fa9ef48cc25ddb26aeb7cffaa

SHA512
bdf51f3885d248458247116cd73f3940ebb5618814485fc2b3e8fc6d75e2a326f3c3482a859190cf818c684ae0d93ff82ac3439ff58d1313f2fd74567cafa257

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\AU\au.msi

Filesize
155KB

MD5
55d7e66e49c3994eb5e1004a5efd22b1

SHA1
aa8a045dc0c161e95804f76efe27f1f572072fa8

SHA256
0a833d92b4d4aa068b0cb256b87c0d3495c3cc4a021be86c072095fee467b379

SHA512
2492ca442c4f6aab1f085a54bbbc1a95b836f033f1c8748fa6c3873997a397020baedfc1f661d751afe30ade3ab14b66a676a4731696b6c90c5c3adfa6c2bd2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
5d1dd1b9a15a22fe9eddbcbcbc788266

SHA1
a322f3dfc79df405a42c89c4599ebee701db393d

SHA256
9db8d19992d03cd08f2917ef2d8259f37230744707dd1080c5d43877824570ac

SHA512
1506d0ae5b17abec58c5e199c6b22aa9149692c2fb1f47b38005b64e8f81a0edb52b25878b8924931b91ed396ee3f1aa47067902357c594569767b6738281fe9

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\Data1.cab

Filesize
24.6MB

MD5
003a488a2139105704566b47eb29520d

SHA1
52d672a592cd52ad5e2e7239421f2659e0d17afa

SHA256
a84262dd486cf59049d0d2d9a1b00dfb5aa5271592edd8de0e052f12496dec67

SHA512
ab34061f8e04bb1d59f1b35e0e1848a176f2b119095e79015130da3a4384c70fa35ecbe1625e07c0eb0de49c67bcdbba59f10fa1dfbbb2066dcb6ee6825215de

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi

Filesize
898KB

MD5
e24d9b483ce7a3a6a4406111883457f7

SHA1
0d5efff0d110c48f5e6f5d438967427f1e2dbf84

SHA256
dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c

SHA512
b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab676A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUpdate_r33.exe

Filesize
146B

MD5
8eec510e57f5f732fd2cce73df7b73ef

SHA1
3c0af39ecb3753c5fee3b53d063c7286019eac3b

SHA256
55f7d9e99b8e2d4e0e193b2f0275501e6d9c1ebd29cadbea6a0da48a8587e3e0

SHA512
73bbf698482132b5fd60a0b58926fddec9055f8095a53bc52714e211e9340c3419736ceafd6b279667810114d306bfccdcfcddf51c0b67fe9e3c73c54583e574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6D83.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zona.7z

Filesize
6.5MB

MD5
1000528de212b75d1e98e1b79f725681

SHA1
926ec452e688c23bfd27569e461ade6bc3e5e569

SHA256
89a9297525284c9d7d93e782d7709f02530844475915dbafdaa6086c1c26c187

SHA512
123eea76302579286371023c112d12e28315d50dfdb613d6f0c6499c502b4987f4d07a10cb49b7b0e58ba4396680312b15c1c833202471f08e10b90fb71142ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
87b651a71b695152fae2e5bb80824e1c

SHA1
78c4aa462a407515f94d94b657a121e354ae7019

SHA256
5f4a70a11d52f93ba1f92e38a1f3e6ea385e8d18012241e26f73674e7946b8b3

SHA512
6d1a0965f2b36d0011c282060571d88114af54903bbc720583afdd5182fedc8368ffba2b9d886f5a3bc9d6ad14a73a7ec59664c62950e19ee3d019116a55a434

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
1499ea41cad058b9a8d31beae9116307

SHA1
39f38b90212db14872a4ef95e735ff6e61e3de3d

SHA256
a07fe71f5384f41ec58b4f3e71394330ccf6382919ae8fdf8fad83837f639b95

SHA512
1f183b6b2a0f12db033c82bdb35a37b96d67c4b88b0a9e9b1bea9d5ad3dc200e3aff84ce212700ced9dc8931a21ae57b9c1605217a60fd03d8dae7da1be3ebf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
37347b65ceb6fc1ac8adca81f5f0136b

SHA1
148e600d538dea799098e71a4284bbdff034915c

SHA256
d001b960171ddb5db72b62c6641c027332673fbe343278147e146ffa67b1b308

SHA512
1d5bf0dfc4e5915ebaf5578190abadf6b707036a9c4893951d60aa1fd27c1cc8af0c836501b946dea6bdc3f1c2bef3bdf62f954247eaacff3dfd1eff8361cf56

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
24feb84afc0f47ccdbe5590f7b2980af

SHA1
52b8b423af6d34c3d149890c3cc292f6d5c5a568

SHA256
8786848f47a0f2a226ad2faed2f1145b904d791174995a399868583086c833b3

SHA512
5df3696dbd35fe83e543dbb95d9ba31ed1ff07275c04e5f60328cc0528ff1ad15351f5157d2d8c7e2ed5827defc737df47ded99fb6d348d4efe3cdb8b90f08a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
6a355b222913bbd7a78a6ba1ee55faa3

SHA1
fcc8bfeb4675a66813eac307669b1c66638926ed

SHA256
ed010344dfb7cd4fa30263bc6bf1e678523934674f98c5bf591d56d545a8ec22

SHA512
35c511eb292f5818e19a2f25ac9e266a7042831abc55b902abc1cf670fed308a463036b455bde6c63e5ae612eff44e39f57843a00fe2e0cacdc21d36dc760085

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
305f9ca1837dee756f8e5a1087b6045f

SHA1
d110a10af6af46372d13020e27642004c5211bfe

SHA256
5eb9dd9da8e7fd7e290ce642d39c5b2f99ca34fc3eda76595ad48009c7baed30

SHA512
7c032517501af568ee732577618d3a3cfaaff635ebde0f514bbaa185f5b64ed981df46b4397ee2b489a288c3800a178389e02ee5bf8123ab2dd1de3d485e982a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
674B

MD5
041637366e03caa0b5e3281478ea225f

SHA1
504a2986159e627b98d64d2183221a1db5f61edf

SHA256
1f65dd4b3e6946c7355554d7c2b40fd0ab0aae73e9c19d8a8afafc9f26d692e6

SHA512
813ca65249f015b08f3c27b44fd86e41959b23641802acf403fcd322641ac530dd82cd686c276e3c617f37f8813b3742e6256490b3fcb6bec0d0669cb631d8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
221fba5125ac63f62d13085f524f17d5

SHA1
8fbe1c8135f3f8e048d7fa03c61c6a8fa291fde1

SHA256
0557bfb164b9c8d7a154e3859477c37a8fb19b1e79c9973d833622c3a1d78483

SHA512
64692100eba2b871f48f8d1de09530c75646176fda1a5fe30c8f3c182b8ca2c16f654c721ea1bea9556fe8d3ff6d484f15a6808924f7008c5d11a61e9a31e07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
7540cf2aee987a4560aef288c0aae25c

SHA1
7d1e049373664b475ae992d2b046826c7b96fd5d

SHA256
8f45ba46a5e86aedb6fb1390d81d2532222dad925205a54ecbb50076a9416598

SHA512
2f10bd7a9b11212f83e5e2e51a3201ce33b6442d3b6e000821e746a0eeb0da092508fdfe58e12896021c3bf30e371b2f029f68c8ddfd5df9a0c02c2fe15ba493

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
2fe938bb1935e88f92c7b15ceb82a0a5

SHA1
94e31d7a9861368fd0dc9aad7ac3007339635c4f

SHA256
3d136a90a3bebc8c3df760a8c7a6aa9893ed9f6e114265f5ddfdf6e17e21f600

SHA512
22a67c8282849dcd1b87e20d10a1c9b75d842a3db2dd4d507ad69654c32e004da727c6489164dd9b228278d6e8f16e405ea99143da73e7f13778abc04cd455cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
191554ab6a92ce4a41fc01f8b8e74a86

SHA1
78f3d5aba59cb4adef608360f9c43ab62b3937ab

SHA256
a7d03280ebe21bac49be49bc5c01e81d545e9dfb79675a64c451efea3f93204a

SHA512
395f24e7b146eef82d4651029ce5b7e9968a02f1b6e0684cba1a01aa09354aa1401d15257df527541523b1ff0de97a1542a7b1e17a29c9ad3fb0c3a3b55c6240

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
912fbe6cb056bee69cb35d7a84037b11

SHA1
097188f3357f750bc1a4e1ad3e68e33eefb24394

SHA256
74a6f7c08264e41d183a2fe09026f8bc3631bae72425c4f5d78f16f678331dbc

SHA512
8eb214597f3d403c53bbeb50f0b71f447105d9d7acef412d11d4f9caeb1460f1e2a663cb0ed4d86da9f9e13db9438a48d4ccfc1c754836f5647f1d341fffc0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\appdata.7z

Filesize
19.7MB

MD5
caa8ecbd2704a23b18d8430bbc9e6b11

SHA1
8db93dff741cd35c6cf5db7ee9a7804c58697da2

SHA256
af76dad2973ba0a79971f410569ecb93987bc3b16be257f71a16c521367604e9

SHA512
f6cd4bd69cf7e1d1a8759b1abe910072a0a1bd81e71a30f6ba45bae7f26fccaec353ea4b390ae5e81d617c4dc1f5e2c7eede84ba9bcdcbebffc0fbdbf0df9a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\javaSetup.exe

Filesize
28.1MB

MD5
f2fd417b6d5c7ffc501c7632cc811c3e

SHA1
305c1493fca53ab63ba1686c9afdfb65142e59d3

SHA256
a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9

SHA512
289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
194KB

MD5
a4a7a1bb494c3808f6c61b7a016b0e1b

SHA1
78c93a6cb226ae9fec29eb5727737b88457c09ad

SHA256
415da94b6e737947ad017a683a71fa1ab41229ae062f46e18ad8b427dc63b6b9

SHA512
9cf5f993f137024edfe2c35186beaffd891cfc8122d527a95cc42eb098026766ae35f2c53625f50b4821f54b055f21dbe99e6da3dc4c08ffa49419b58553be93

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
195KB

MD5
a256804cf7979b72a2e05766cdc6e6a4

SHA1
7318c80b4ff40c397a27cd2fce6c157bea503be6

SHA256
0ce92642049b8d6cd1925f5697eb4fd699594fc329d590fb482f9430a449c4a5

SHA512
8c8fd367f8e990ae1d291b66ae34efd76dc547e53d3e80b334ce00fc05a703c9a4316025426363106f614ecf64567bb98b918ab019ed084ba47e06f634c397f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
195KB

MD5
95b6db47d83e1c43fe0a6dfa89b6cf4c

SHA1
ce67c5f379dca2775815dba04875bee40dcc8c14

SHA256
c3fccdfe60a45a816f9389a8ed5678862bb151d10d58d5ed7275a7d0e3714388

SHA512
4c9df5f9d618bb0d6827ff187b0f7ba1bc7b17fb34635a84a37353837b5afc6c0c4ff0c913608edb6ec478c540d79084fe2aaa15f45628ab4a53938a223dbbe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
196KB

MD5
b0949b14d1ae9196d12eaccaa0b62107

SHA1
4acd9a8d1411037d73667808f243572d2239c436

SHA256
295f8c8bb8e6a16f72874ca3bffdf21b7f4050cdab3bdc1bf055f6a86ce3ea95

SHA512
b25bcaa9dcb3491a98c799d3281fc88988fec2d6a50c2c127c89a5fea789ec657ab3da53ce54b3f1dd40d33c7f415935bc57b101c23b07d7298864c9047cc906

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
197KB

MD5
2b86d39053fc6e56bd766e03b26a52c0

SHA1
ef3dc18b0959019ac4501feb955921fb0053907f

SHA256
a0c4e58373a32071c13ea9d822f62773b50746a310cd371e425a2156963e0548

SHA512
b156b87ba767de35d4be1738eebd393fc584c2294f529834f20d63d5179c6b198925c68b94af63243bc667fd5f87792886af2225c1f3d7933e311b75ad1bc173

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
602B

MD5
067226a18f3c44419f7d90b888dfc264

SHA1
6734fa4112f6225efb822c1fad077fbd9d98b948

SHA256
d44a40d5663bb335bdc67c49c2c73bf621c90022066f3ba61ab89daa5d6df0fa

SHA512
951026d443f696918caa26a950a48a08fdd6ceda4ec6d8d94c580d2bd36fcbcce73ba3fb275146b01e4a5e8c1fbb852a52042b8f47b4736255e20f4cf48900bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
8ee1783801d72d87f73089d9b1f34850

SHA1
cc5ea522343dd6cc696d324e60aa1c9c9bcd5fc0

SHA256
0518afb5b8d594a4b77819ba4f947a9676c388942b7afc3a8a4c90014b0adcda

SHA512
5f7172d2abb64017a515588c29dae544f178bb93821d1e9e844af168c3217adfcf090da21b5ed829ac9298364431eda08e86974fe34c9aa8f4847ac06a65a592

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\init.xml

Filesize
329B

MD5
017845bf1f6cfbf48d8bbeef6218f02c

SHA1
f9fb5dc808094b071972f7d7a4f892456d6d645b

SHA256
f21a530c7bc6ef00ff154ac899ce6516508a0f210ce9c249987f940ea72d8524

SHA512
72488ec28a7c4a62f8471eb07e94eedabecd50bbbfb70bf286f35382e7b55d65c1e3d6219352b2426c5821ecf1ae2dea0d601efbb8bafb5a3c3b656e791b4262

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\launch.log

Filesize
2KB

MD5
dd3b91822dd52399b23a7e5992c03d61

SHA1
3d20c2c3cc6af5b0614933d54aa66882d0865c5d

SHA256
94140b1462dd6a3715d101be514e69f95f28e18b6b786f4462dcd5cdee99ebf7

SHA512
796ca71ade16000233639283d4014ef4d83ef994f4fec0c07f3a9ee13e59947de8c036aa2b76341c480e6e55fe828e62c1f21935c56fe6133c389f7e49bb2711

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\launch.log

Filesize
5KB

MD5
afb2a1f42960fa15d14e4064c43debd7

SHA1
9d00d015167358df43bf77d2df73dbb6b1b8e80d

SHA256
55d5297b4072d7a86b21a09fd0e7e0dca57f9cb5eb3e46fcef51c4c7bddce920

SHA512
86a3b1e648d562076b372f68a8d360c62c54cbad3e8409dd77e1c43eed1bbce90fb27a5571577bb2ac9a9b1c1120fbbfc0543b02afa8b993736043dcd1fa2242

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\torrents\AZU2076223231702163040.tmp

Filesize
28KB

MD5
cadd1d3521af856893bde2a1db1804b1

SHA1
a0a9f1a3b729af16555972302e75035776c111b7

SHA256
ce03e50d68c97ce903cce1d337b8b45d5df43cbf5fdb15fec4b19ea55242ad76

SHA512
503a432c79ba9970f38cc5aa8e5f99e9b11ddd862badfd22050db0d65780b87688d286dfab3164dfeb86d5a03f8260c251a021b4e76ae47060fb3853e6dab6e4

Download Submit
C:\Windows\Installer\MSI867E.tmp

Filesize
81KB

MD5
3e3dec97820c7402decbfde40b91bf72

SHA1
eb7a38fbf763e6af27b35f718b95012596dac5e8

SHA256
afa7f8f230350bafb29d14ecd71f06f146c49b374ff5d577503e3f3bbcf48969

SHA512
735735ac8299276418cc025ef8356e25242855cd750d965dde9e49b3e66bcb3e68f7f998f95f1defbce803908e158a2cd2baa55193180909893943b0ab4c7c4d

Download Submit
C:\Windows\ZonaUpdater.log

Filesize
2KB

MD5
52563f9dece7fa6a800d94e822db4b76

SHA1
7392c50ae34b3227e23458860834b9e232a6d18c

SHA256
10b19b98e6c15900ee6cf4538ff9606f1d172a467b2f173a0a834e75eeaa5d7c

SHA512
99a4a08067601f615528dc79e86f788772b5e2741c86f9bc26d63c824817ff39894f6be18c3fff8f06e6c55c2555942e4207ed4c1fd151160b1aa813105730fa

Download Submit
C:\Windows\ZonaUpdater.log

Filesize
3KB

MD5
3506021657e549bb247b1d35016d9b76

SHA1
15b71b8cab83d322c7030e9f6eb12a74c3e5024a

SHA256
4e1147699cd4e77d04a09cc11174754dd49010a09a241f531a4a34da1699f432

SHA512
f1ff40757d7bdaa4a7b7c7693d5d766f779df2bae68ab83a3fe3e3879ab2302a29a465e35ee91ffa4b76b984d99c45b98be469b98fcd0f9368f1a121144f3371

Download Submit
C:\Windows\ZonaUpdater.log

Filesize
2KB

MD5
64c7cb360eef3be87b93421ff5d4dae1

SHA1
a2fa299a87321c0553152c9776299db6662cf0d3

SHA256
ff6a92cca3dd33df8da3f8bb6f650716105e4fdce0ca197453cb708079b0ce04

SHA512
510e32b29fc2f421eb2df24edd504d1e2825512caf1baa7439694b3b23032884b10e981f67d98bd1ac7514a95b6f5886ccacb91abb2626ae151c81041c14b931

Download Submit
\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Filesize
229KB

MD5
a6d7d454c641f7b1fe566987fa5675b5

SHA1
ce07ee70116514c05361754bbef64c3231acad1f

SHA256
9ce45422200ab8f3552d51aec143eb185127be67ae5a3fe8eaf7b80789a2a7c1

SHA512
805b365f3440ad2e3e1d41de834552990d6ca29d4a82e333e3d86879eff3bc6d22d8f95286d35ff059a52b362636652a7ba49710155365974ee2647d8fc13afe

Download Submit
\Program Files (x86)\Zona\zreg.dll

Filesize
147KB

MD5
6f5f6e46aa832672742a9de2444e5bb7

SHA1
ced2ebc424a5d1c0dd8d71c56cf9d0fa0aef3a9f

SHA256
dccf0a2e88291e89404661dbd1438824828cb3e0acdce8f54f10ec5a8982cb63

SHA512
78460256a5f3ddd035bcba3e8d41dbb66f4084824116a43e1787eacb61114abc38d82b71d29abf7409aaafbe675fd764054e095d4405a6a702235a66c7260f2f

Download Submit
\Windows\Installer\MSI705A.tmp

Filesize
202KB

MD5
9f84d910602183954bed6d9660600783

SHA1
82e3b122dc63e0a333bca531dd16667d5fafbf23

SHA256
bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e

SHA512
09fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9

Download Submit
memory/1028-1089-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1028-1091-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1680-212-0x000000003A000000-0x000000003A010000-memory.dmp

Filesize
64KB

Download
memory/1680-235-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1852-1124-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-916-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-1114-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-1121-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-838-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-955-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-855-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-1125-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-1128-0x0000000004A70000-0x0000000004A83000-memory.dmp

Filesize
76KB

Download
memory/1852-1112-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-772-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-777-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-789-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-797-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-806-0x0000000006FA0000-0x0000000007010000-memory.dmp

Filesize
448KB

Download
memory/1852-812-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1852-822-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1984-627-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2104-492-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2104-545-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2152-455-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2224-47-0x0000000001100000-0x0000000001150000-memory.dmp

Filesize
320KB

Download
memory/2224-0-0x0000000001100000-0x0000000001150000-memory.dmp

Filesize
320KB

Download
memory/2224-28-0x00000000010A0000-0x00000000010F0000-memory.dmp

Filesize
320KB

Download
memory/2224-48-0x00000000010A0000-0x00000000010F0000-memory.dmp

Filesize
320KB

Download
memory/2224-51-0x00000000010A0000-0x00000000010F0000-memory.dmp

Filesize
320KB

Download
memory/2224-2214-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/2224-636-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/2420-397-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2420-257-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2420-352-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2492-691-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2592-206-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2816-29-0x0000000001100000-0x0000000001150000-memory.dmp

Filesize
320KB

Download
memory/2816-53-0x0000000001100000-0x0000000001150000-memory.dmp

Filesize
320KB

Download