40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
Size

129KB
MD5

17ddfe4a848a8710ad64af3f4244e050
SHA1

166cb2b4aa76e9328ea09b5b6b3fbac5ef2604cd
SHA256

40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382
SHA512

b8f118e5a8127eef7aa531e00d1c46a129c8f64746e0902964179cd4fb8c00d69750b0940493bcbbce6f66f0d13b7d6d7443baf47092e574e1317c861fa49675
SSDEEP

3072:qOiyDxsHWq7IVNuutVY4t3hMafrZknlOwzmwNCdscout0QVp:5DDxsHnIJVY41hx9wtCdscoS0QL

Score

8^/10

adware discovery persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 35 IoCs

pid	Process
2396	javaSetup.exe
1564	unpack200.exe
1800	unpack200.exe
1756	unpack200.exe
2404	unpack200.exe
3000	unpack200.exe
2692	unpack200.exe
760	unpack200.exe
2592	unpack200.exe
2556	javaw.exe
1088	javaws.exe
1952	javaw.exe
2236	jp2launcher.exe
1860	jaureg.exe
1620	javaw.exe
1768	javaw.exe
1508	Zona.exe
2924	javaw.exe
760	Zona.exe
2808	javaw.exe
480	ZonaUpdater.exe
904	javaw.exe
692	ZONAUP~1.EXE
2848	Zona.exe
2380	javaw.exe
2764	Zona.exe
952	javaw.exe
2400	Zona.exe
3036	javaw.exe
1364	Zona.exe
2240	javaw.exe
2180	Zona.exe
1464	javaw.exe
1512	Zona.exe
1052	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
2596	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
828	MsiExec.exe
840	MsiExec.exe
840	MsiExec.exe
1564	unpack200.exe
1800	unpack200.exe
1756	unpack200.exe
2404	unpack200.exe
3000	unpack200.exe
2692	unpack200.exe
760	unpack200.exe
2592	unpack200.exe
840	MsiExec.exe
840	MsiExec.exe
840	MsiExec.exe
840	MsiExec.exe
840	MsiExec.exe
2556	javaw.exe
2556	javaw.exe
2556	javaw.exe
2556	javaw.exe
2556	javaw.exe
840	MsiExec.exe
840	MsiExec.exe
840	MsiExec.exe
840	MsiExec.exe
840	MsiExec.exe
840	MsiExec.exe
840	MsiExec.exe
840	MsiExec.exe
840	MsiExec.exe
840	MsiExec.exe
1088	javaws.exe
1088	javaws.exe
1088	javaws.exe
1088	javaws.exe
1088	javaws.exe
1088	javaws.exe
1952	javaw.exe
1952	javaw.exe
1952	javaw.exe
1952	javaw.exe
1952	javaw.exe
1088	javaws.exe
1088	javaws.exe
1088	javaws.exe
2236	jp2launcher.exe
2236	jp2launcher.exe
2236	jp2launcher.exe
2236	jp2launcher.exe
2236	jp2launcher.exe
2236	jp2launcher.exe
2236	jp2launcher.exe
2236	jp2launcher.exe
2236	jp2launcher.exe
2236	jp2launcher.exe
864	MsiExec.exe
864	MsiExec.exe
2396	javaSetup.exe
2596	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
2596	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
2596	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
2596	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
2596	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zona = "C:\\Program Files (x86)\\Zona\\Zona.exe /MINIMIZED"	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
30	372	msiexec.exe
32	372	msiexec.exe
34	372	msiexec.exe
36	372	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	MsiExec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
83	checkip.dyndns.org

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\javaw.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	MsiExec.exe
File created	C:\Windows\SysWOW64\javaws.exe	MsiExec.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2152-0-0x0000000000140000-0x0000000000190000-memory.dmp	upx
behavioral1/memory/2152-52-0x0000000000140000-0x0000000000190000-memory.dmp	upx
behavioral1/memory/2596-56-0x0000000000140000-0x0000000000190000-memory.dmp	upx
behavioral1/memory/2596-1488-0x0000000000140000-0x0000000000190000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaBrightDemiItalic.ttf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\jfr\default.jfc	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Thule	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Enderbury	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Funafuti	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\sound.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Oral	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-14	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Chagos	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\security\java.policy	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Creston	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Detroit	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Indianapolis	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\dcpr.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\javafx-font.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\JAWTAccessBridge.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\management\jmxremote.access	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Vancouver	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Tokyo	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Berlin	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\London	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Tashkent	MsiExec.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\cmm\GRAY.pf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\plugin.pack	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Cayenne	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Santa_Isabel	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Caracas	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Damascus	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\COPYRIGHT	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\fontconfig.bfc	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\jsse.pack	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Belem	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Miquelon	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Saipan	MsiExec.exe
File created	C:\Program Files (x86)\Zona\Zona.7z.tmp	javaw.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Johannesburg	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Merida	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Antarctica\DumontDUrville	MsiExec.exe
File created	C:\Program Files (x86)\Zona\Zona.exe	javaw.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Phoenix	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Hebron	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\ext\dnsns.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\resources.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Atikokan	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Mazatlan	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Novokuznetsk	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\EST5	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\HST10	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\orbd.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\javafx.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\security\java.security	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Kabul	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Belgrade	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Tallinn	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\pack200.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Mendoza	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Guayaquil	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Campo_Grande	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Bougainville	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Gambier	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\JavaAccessBridge-32.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jdwp.dll	MsiExec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID7F2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC0A.tmp	msiexec.exe
File created	C:\Windows\Installer\f76d281.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d281.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1DD.tmp	msiexec.exe
File created	C:\Windows\Installer\f76d284.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d284.ipi	msiexec.exe
File opened for modification	C:\Windows\ZonaUpdater.log	ZonaUpdater.exe
File created	C:\Windows\Installer\f76d27b.msi	msiexec.exe
File created	C:\Windows\Installer\f76d27e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID969.tmp	msiexec.exe
File created	C:\Windows\Installer\f76d280.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d27e.ipi	msiexec.exe
File created	C:\Windows\Installer\f76d286.msi	msiexec.exe
File created	C:\Windows\hsperfdata_Admin\904	javaw.exe
File opened for modification	C:\Windows\Installer\f76d27b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2D8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3A5.tmp	msiexec.exe
File opened for modification	C:\Windows\ZonaUpdater.log	ZONAUP~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaureg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZonaUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZONAUP~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jp2launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "42322272"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	MsiExec.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_12"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F60730A4A66673047777F5728467D401\PackageCode = "F5BD0BDBEB49E304595FE827A5E24F92"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_22"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_41"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_31"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0036-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0050-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_50"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_06"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_16"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_18"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBC}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_05"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_12"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_65"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_21"	MsiExec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	javaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	javaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2236	jp2launcher.exe
372	msiexec.exe
372	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeSecurityPrivilege	372	msiexec.exe
Token: SeCreateTokenPrivilege	1844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1844	msiexec.exe
Token: SeLockMemoryPrivilege	1844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1844	msiexec.exe
Token: SeMachineAccountPrivilege	1844	msiexec.exe
Token: SeTcbPrivilege	1844	msiexec.exe
Token: SeSecurityPrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeLoadDriverPrivilege	1844	msiexec.exe
Token: SeSystemProfilePrivilege	1844	msiexec.exe
Token: SeSystemtimePrivilege	1844	msiexec.exe
Token: SeProfSingleProcessPrivilege	1844	msiexec.exe
Token: SeIncBasePriorityPrivilege	1844	msiexec.exe
Token: SeCreatePagefilePrivilege	1844	msiexec.exe
Token: SeCreatePermanentPrivilege	1844	msiexec.exe
Token: SeBackupPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeShutdownPrivilege	1844	msiexec.exe
Token: SeDebugPrivilege	1844	msiexec.exe
Token: SeAuditPrivilege	1844	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1844	msiexec.exe
Token: SeChangeNotifyPrivilege	1844	msiexec.exe
Token: SeRemoteShutdownPrivilege	1844	msiexec.exe
Token: SeUndockPrivilege	1844	msiexec.exe
Token: SeSyncAgentPrivilege	1844	msiexec.exe
Token: SeEnableDelegationPrivilege	1844	msiexec.exe
Token: SeManageVolumePrivilege	1844	msiexec.exe
Token: SeImpersonatePrivilege	1844	msiexec.exe
Token: SeCreateGlobalPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe
Token: SeRestorePrivilege	372	msiexec.exe
Token: SeTakeOwnershipPrivilege	372	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
760	Zona.exe
760	Zona.exe
760	Zona.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
760	Zona.exe
760	Zona.exe
760	Zona.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2236	jp2launcher.exe
760	Zona.exe
760	Zona.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2436	2152	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	28
PID 2152 wrote to memory of 2436	2152	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	28
PID 2152 wrote to memory of 2436	2152	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	28
PID 2152 wrote to memory of 2436	2152	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	28
PID 2152 wrote to memory of 2596	2152	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	31
PID 2152 wrote to memory of 2596	2152	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	31
PID 2152 wrote to memory of 2596	2152	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	31
PID 2152 wrote to memory of 2596	2152	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	31
PID 2152 wrote to memory of 2596	2152	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	31
PID 2152 wrote to memory of 2596	2152	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	31
PID 2152 wrote to memory of 2596	2152	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	31
PID 2596 wrote to memory of 2396	2596	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	33
PID 2596 wrote to memory of 2396	2596	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	33
PID 2596 wrote to memory of 2396	2596	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	33
PID 2596 wrote to memory of 2396	2596	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	33
PID 2596 wrote to memory of 2396	2596	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	33
PID 2596 wrote to memory of 2396	2596	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	33
PID 2596 wrote to memory of 2396	2596	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	33
PID 2396 wrote to memory of 1844	2396	javaSetup.exe	37
PID 2396 wrote to memory of 1844	2396	javaSetup.exe	37
PID 2396 wrote to memory of 1844	2396	javaSetup.exe	37
PID 2396 wrote to memory of 1844	2396	javaSetup.exe	37
PID 2396 wrote to memory of 1844	2396	javaSetup.exe	37
PID 2396 wrote to memory of 1844	2396	javaSetup.exe	37
PID 2396 wrote to memory of 1844	2396	javaSetup.exe	37
PID 372 wrote to memory of 828	372	msiexec.exe	39
PID 372 wrote to memory of 828	372	msiexec.exe	39
PID 372 wrote to memory of 828	372	msiexec.exe	39
PID 372 wrote to memory of 828	372	msiexec.exe	39
PID 372 wrote to memory of 828	372	msiexec.exe	39
PID 372 wrote to memory of 828	372	msiexec.exe	39
PID 372 wrote to memory of 828	372	msiexec.exe	39
PID 372 wrote to memory of 840	372	msiexec.exe	40
PID 372 wrote to memory of 840	372	msiexec.exe	40
PID 372 wrote to memory of 840	372	msiexec.exe	40
PID 372 wrote to memory of 840	372	msiexec.exe	40
PID 372 wrote to memory of 840	372	msiexec.exe	40
PID 372 wrote to memory of 840	372	msiexec.exe	40
PID 372 wrote to memory of 840	372	msiexec.exe	40
PID 840 wrote to memory of 1564	840	MsiExec.exe	41
PID 840 wrote to memory of 1564	840	MsiExec.exe	41
PID 840 wrote to memory of 1564	840	MsiExec.exe	41
PID 840 wrote to memory of 1564	840	MsiExec.exe	41
PID 840 wrote to memory of 1800	840	MsiExec.exe	42
PID 840 wrote to memory of 1800	840	MsiExec.exe	42
PID 840 wrote to memory of 1800	840	MsiExec.exe	42
PID 840 wrote to memory of 1800	840	MsiExec.exe	42
PID 840 wrote to memory of 1756	840	MsiExec.exe	43
PID 840 wrote to memory of 1756	840	MsiExec.exe	43
PID 840 wrote to memory of 1756	840	MsiExec.exe	43
PID 840 wrote to memory of 1756	840	MsiExec.exe	43
PID 840 wrote to memory of 2404	840	MsiExec.exe	44
PID 840 wrote to memory of 2404	840	MsiExec.exe	44
PID 840 wrote to memory of 2404	840	MsiExec.exe	44
PID 840 wrote to memory of 2404	840	MsiExec.exe	44
PID 840 wrote to memory of 3000	840	MsiExec.exe	45
PID 840 wrote to memory of 3000	840	MsiExec.exe	45
PID 840 wrote to memory of 3000	840	MsiExec.exe	45
PID 840 wrote to memory of 3000	840	MsiExec.exe	45
PID 840 wrote to memory of 2692	840	MsiExec.exe	46
PID 840 wrote to memory of 2692	840	MsiExec.exe	46
PID 840 wrote to memory of 2692	840	MsiExec.exe	46
PID 840 wrote to memory of 2692	840	MsiExec.exe	46
PID 840 wrote to memory of 760	840	MsiExec.exe	47

C:\Users\Admin\AppData\Local\Temp\40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
"C:\Users\Admin\AppData\Local\Temp\40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2436
- C:\Users\Admin\AppData\Local\Temp\40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
  "C:\Users\Admin\AppData\Local\Temp\40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe" /asService
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1844
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\AU\au.msi" ALLUSERS=1 /qn
      4⤵
      System Location Discovery: System Language Discovery
      PID:2088
  - - C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
      "C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.7.0_80-b15
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1860
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\Zona.7z" "C:\Program Files (x86)\Zona"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1620
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\appdata.7z" "C:\Users\Admin\AppData\Roaming\Zona"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1768
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" /copydll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1508
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2924
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" --readInitFile
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:760
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2808
- - C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZonaUpdater.exe
    C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZonaUpdater.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:480
  - - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
      "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\zupdater.ext.jar" ru.zona.plugins.zupdater.ext.Main update
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:904
  - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZONAUP~1.EXE
      "C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZONAUP~1.EXE" /asService /logPath "C:\Windows\ZonaUpdater.log"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:692
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" /copydll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2848
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2380
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" --readInitFile
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2764
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:952
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2140
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" /copydll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2400
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3036
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" --readInitFile
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1364
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2240
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1700
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" /copydll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2180
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1464
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" --readInitFile
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1512
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1052
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B1D7A7C48127150EBAB6D9D085DF3C27
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:828
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DBBE81868D05DEF5DCDDFC17A51C5E25 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1564
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1800
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1756
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2404
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3000
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2692
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:760
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2592
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2556
- - C:\Program Files (x86)\Java\jre7\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1088
  - - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
      "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1952
  - - C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2236
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A3DF434D31187D20B40C49E1AD518C81
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76d27f.rbs

Filesize
9KB

MD5
e588070cb31a0b35d639b8b11aaa4b1e

SHA1
9abba8234c87094c63b549d1c8d6c6de684b04be

SHA256
96921b7f48b14f6da0d4c2c104b359f19eecd862e2fcd82feabf39a9bf45496d

SHA512
13a3a79cd907a2d454cb51919fbd9fdb5ee90b26e37eb62ef8bbbea7040298dc6f3a2ec7a4a51405f83a1ea48bf159ab03e5eb07604a374e22bf0c3f6268e7d3

Download Submit
C:\Config.Msi\f76d285.rbs

Filesize
8KB

MD5
e49d5d23c39960e873de829807e35c1d

SHA1
9a2f1eccaca2ea7431d447654e933447094fc11c

SHA256
0184aaae10f0ba77051f84db1027bd0eacbd88d419af9f89e38c93aabb4799fe

SHA512
5d371aef6cbdb3fa448efd2f0f169274d538dfe9607453b898485ca5377fe309fb3faf2bc8c3d1a86543f350ebe3efc46d0f5ecd6afe979b97f31da77dd28f68

Download Submit
C:\Program Files (x86)\Java\jre7\bin\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Java\jre7\bin\client\jvm.dll

Filesize
3.4MB

MD5
27147e1e3faf9b5ccda882cd96f2a85c

SHA1
7103f60121727917f812bfc7cdff5347fc17cc8e

SHA256
500d359211ece211cf672de328345876f016fb4a476b2a03cbc3b8b89023ae1f

SHA512
0866c604911e243687e7fe721142eb882b19691c902736b59ba304933463d8c9154ecc319b91c9771cee8139e151cc2a2e960bc7a93ed97352cf5232a0964194

Download Submit
C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll

Filesize
864KB

MD5
bc3a575dfb1a58d35e8617f2966bf1ea

SHA1
6353630f62e246d7f462134e8d10a7a42935e20f

SHA256
c029fd3c6ffd2158d0633fc122786838a6f5d3cc7ef78bbe934697015c8c63dd

SHA512
c976da30d343f8e104bec72300dc0c17e582e380f0a3ae85b242dbf2d5b40459feb4a3b7789fb8d755b21cbaa0940038d20dbbf1296a48e77b461092abbbe514

Download Submit
C:\Program Files (x86)\Java\jre7\bin\javaws.exe

Filesize
266KB

MD5
2b4493bb1f94580c41def972ea9a887e

SHA1
880ca8b20c6df9a6a176b91cc50304cb0fe66d06

SHA256
841339373958786d9c93a7dad5de8fd213ed6b5ad69623f5a5762a453c48e0a5

SHA512
b43e54f2c1f3e0a3c3d2fcee518e47d17476bb735606351e41b49e97e10af758ea9a539ac370a2d12cffa93e3e752e829db969968664c59386f65b732c29e40e

Download Submit
C:\Program Files (x86)\Java\jre7\bin\zip.dll

Filesize
66KB

MD5
1ecf056944068b933ba71cda3edc4a68

SHA1
2052b2138db0d9a368942470b41bb6fc5b1d4007

SHA256
35ce7ab154a38e97951714e17f7689873d89e8c01188de6e5cd741bc0ca3e384

SHA512
cadf312841d392a9970cc068b72063e17454d5e6738b46ec9622257d9dfc0bcad0d9420352752bf7d8f8e8ceaf6aca97d83896f753dc12cfeac3e5efb5e1ab05

Download Submit
C:\Program Files (x86)\Java\jre7\lib\charsets.pack

Filesize
1.3MB

MD5
549bbcd204914b543dafee670f110834

SHA1
012461935191a55482e8c3d453d245e965a10a2a

SHA256
8ea5af036ec067a0abcf87b8f5921e2281ff9d259e1d4c3bbe7fa9037cd87d02

SHA512
b0346a2ec52ce47351286f27f347f5fea99e160aedde52bcf74e1629739704bd975c9c99d8db6be3b6bd45e7fa933616fa081eda49e9b911efcc031c7241400e

Download Submit
C:\Program Files (x86)\Java\jre7\lib\deploy.pack

Filesize
1.7MB

MD5
b2a448112b7c886ccce9b6a3d5efd8a0

SHA1
660bc9efe960015b208a421b1a63443e7151024f

SHA256
928f6b847f94b920c462a08c43f0dfd3f7c40076b1cd60545523a5c27a4870ca

SHA512
871da63f4eaf16d77ba6c19c10d8ddd8e94f744c20a70e24793f837023d20e56698d85f67498bc06ec37b73a8f376c220afbe7f3884b00536b710ff49c339b3f

Download Submit
C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack

Filesize
736KB

MD5
c8dc1cfeaf0fefc39ed0f1de4eaa175c

SHA1
11cacbb9e5724d37789455de37a225d8e0c648a1

SHA256
da2803a283d28882182e1e280b4f25ee1579a5805e73fcc9882e63968f102a8f

SHA512
6b419ba94ae90f8caa3a57690f2ec7e249c9fb8ab86819439621cde1243c7636ee76820622ce32ed483ce76976f7ced74778898fc2725b1a2407b039fb53508c

Download Submit
C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg

Filesize
686B

MD5
5147cce789cd18ad6b2996eb89e5d866

SHA1
756f1fffe96ef581f0d4d47253523544c89a2622

SHA256
c471d622198461715f245d478484fc7c8de533313c56e922931a875460a5aa88

SHA512
55f53adb70b1cf741cdf0dee74d92d2bf4c96954a760afae289972a0ea9bb27bc5eb4df1bd41829c7c484211fcb294fe296a4d560d8a1cdbb8c707b3bf2a79a6

Download Submit
C:\Program Files (x86)\Java\jre7\lib\javaws.pack

Filesize
205KB

MD5
491bce42c6cd8af88a2e11f37711ed4f

SHA1
3de7c18fee44465a6afe34e068f2a64dea9fa324

SHA256
ee43869ee94eefe241d661101ff6a03cc276f8e558967b1b350ea088f1dad2e2

SHA512
1e5f99466b77b5a82c23449434272acf5746811ef96b98105f89b3339ccd86734d7713c94b773755219345d673a761a356fbe846a38e7893bd8894e43cf102e4

Download Submit
C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack

Filesize
3.2MB

MD5
dfaa6429468d56ef77932cf26a495f75

SHA1
8a21a29225640f1829ae328a24ef9cb5e215a4e0

SHA256
8c481a549acfa58b1bac0385906febe33a928d004a529fec505b6a9228678fed

SHA512
6c19ed573b111315648de0646441486729b304452c15b2282938460a2339db0be4e1eb19cf6f2bf17f73037811ca2553a15957ea96b9d9af64a93045407c1148

Download Submit
C:\Program Files (x86)\Java\jre7\lib\jsse.pack

Filesize
141KB

MD5
31b4d9c29d29567b0ae3037fac9fbdc6

SHA1
8b5d1b1a309177466d71a742414d441f600ea38e

SHA256
9f031f2f1292bb311c400b0a93a11b78a08f013332b1263ea58617b6548862eb

SHA512
b4a8a3a1e837f98a3164e19a6fe939819eb336892335de975822890b52b5923d85fee4c4e5464ccb0d46c847f37f7da98a839aadbf4d20fca355f396a53836c0

Download Submit
C:\Program Files (x86)\Java\jre7\lib\plugin.pack

Filesize
489KB

MD5
47d6cfa1b01a6d41885504bbc3b1919a

SHA1
3838060f9d530c972d65f36fa38b265120a218aa

SHA256
93defaaf7f82e2e9565b27dd31a41c89e02d1b7719d0da0b940a55dcc75b91e5

SHA512
b0df9b174624234aaeb2b50cf611f698377925a0ae5c5ee9da46c65fcecf4d28941d1bf2332316d9327981c1f8c6c4fecf750e013f04eef63f5df52d27593135

Download Submit
C:\Program Files (x86)\Java\jre7\lib\rt.pack

Filesize
13.1MB

MD5
b6d75e8c90c79af1579769f10b1e5c88

SHA1
146cb3f05fa161885e8faf079fa2bbd89b5c5b18

SHA256
82dc6806d9ec9eb16604f90a5c78d0d882b69a0e718d8f6c3c6b7c9719887b7e

SHA512
02cdd0c0d6e71bc09120db2cd3b9471c0176567d92bb74a08c13e82c1d23722eb4afac41583a11dee3fc531fd442754ee0f5cb964898ec036ddd432947996037

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
d2c867cd9db8498500b6805f114b7908

SHA1
2e6c5a2f0daf65ed38061ca92e876306e9c2d6aa

SHA256
681b590d062a6be0c042072c4d5e9b1de92b02ce02621489410609bbaaed560a

SHA512
9cf0d4ea5240651cf0460960e24fb182de20187fd9c648c028a98841d4f6762ba181390d034e6afcf0b591247a6b5c83aa1b55f2b5d51f70c136b270a1a66dc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\Data1.cab

Filesize
24.6MB

MD5
003a488a2139105704566b47eb29520d

SHA1
52d672a592cd52ad5e2e7239421f2659e0d17afa

SHA256
a84262dd486cf59049d0d2d9a1b00dfb5aa5271592edd8de0e052f12496dec67

SHA512
ab34061f8e04bb1d59f1b35e0e1848a176f2b119095e79015130da3a4384c70fa35ecbe1625e07c0eb0de49c67bcdbba59f10fa1dfbbb2066dcb6ee6825215de

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi

Filesize
898KB

MD5
e24d9b483ce7a3a6a4406111883457f7

SHA1
0d5efff0d110c48f5e6f5d438967427f1e2dbf84

SHA256
dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c

SHA512
b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE09.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUpdate_r33.exe

Filesize
146B

MD5
8eec510e57f5f732fd2cce73df7b73ef

SHA1
3c0af39ecb3753c5fee3b53d063c7286019eac3b

SHA256
55f7d9e99b8e2d4e0e193b2f0275501e6d9c1ebd29cadbea6a0da48a8587e3e0

SHA512
73bbf698482132b5fd60a0b58926fddec9055f8095a53bc52714e211e9340c3419736ceafd6b279667810114d306bfccdcfcddf51c0b67fe9e3c73c54583e574

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD2CA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
1KB

MD5
ca79cb4fb835c588b9b64bc12bf724d4

SHA1
c14c0a83511d4f66b9cf7cdb4e4922170c020759

SHA256
c03363767c67b2d3f2ae6c002b451432ad70ec1d9c9d5228adbd62cefd53dffa

SHA512
600dd0ee5693185c0d26f6fccf75e90d06eb855f284717be065167e01ea2fe44d96279706161fc04a544a5d817eeb47940dc873c2ea493f543212137fb1e6262

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
3KB

MD5
b1796c4cd3f97f0c0b941c2a93628199

SHA1
6e55c21f6dd95afb975c6d75640cc92d904598b6

SHA256
3e179890343f5a54941e58b5fc787e91484b896be84920e297444eba0c624327

SHA512
b89d75f988509ad69dfcd0f6b844ca412b93927bd3c7f06bdf9ace4c79df9b9d3b6ad2677680f151551a6bd67f6b5c41c6a0aafead8bdc51fd4e1e16356cb5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
bee210db1df8640a6a08367a9d2cc790

SHA1
4d4c9878a4fe163b5b893498bfcdbcf36d6620ed

SHA256
c484484b112e30a8f8b16da48d1075eedcec5a5e8ba3243365768b51cf8367c9

SHA512
5e7b047d6a25d341bc8e8ed31a183debe1861ef7b5d3ae36c481608c7a8a7444b3ae62a2f8236aa64ab8537dabb49da5c2deb60651e6c85bb1ba28eb627d3e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
fdd029dd4288ba2f32d05418e3d857d9

SHA1
045f57794ab98a8234af6dd4dde1a3f570d306c7

SHA256
11200c6b690a44f4d92931eac45c1286c4e993996bfa0897a40d02386bb16881

SHA512
f88b2e8d91b954bfe811be52590be74d7ee987182351c04f4765b011fb2f355a815b929bf0c3609ed1f7eb46c6f954fc3abe9fd7bc6eb67adff7700ad5c85568

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
193KB

MD5
6a86e8d216a77baa9084e18e231204a6

SHA1
6c1e488a58c0776519fb5eb4161d0f929aecb188

SHA256
49c96e06d4d875bd04d6dba41567347e0ca43f712b54dfcb240bbf8da12506d3

SHA512
6c4dddca4bcad858ff042a9f15da6226cf8c4a7c84215a1cba8b6625ef192d74451fb11a9ceb6c5a6450b71fec24c69d404505717c008c9009ca8e0a8a57c37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
193KB

MD5
5da1b3686b8239c4278b11288b0b441d

SHA1
fde3ebc5be1347693b9a66877f78d40929383ff8

SHA256
c2e1e432f32ceaef9be282ed1216275604f03a9fc514781161eaa89c32046f56

SHA512
a5a118bc340169f36c7b69a1d5e20b23be6132be6926664d67839357c40ac7a9337014a9aa570b72f3f3ce816a3b003915516effb764ac00f3959a75a9d05b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
194KB

MD5
a4a7a1bb494c3808f6c61b7a016b0e1b

SHA1
78c93a6cb226ae9fec29eb5727737b88457c09ad

SHA256
415da94b6e737947ad017a683a71fa1ab41229ae062f46e18ad8b427dc63b6b9

SHA512
9cf5f993f137024edfe2c35186beaffd891cfc8122d527a95cc42eb098026766ae35f2c53625f50b4821f54b055f21dbe99e6da3dc4c08ffa49419b58553be93

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
195KB

MD5
a256804cf7979b72a2e05766cdc6e6a4

SHA1
7318c80b4ff40c397a27cd2fce6c157bea503be6

SHA256
0ce92642049b8d6cd1925f5697eb4fd699594fc329d590fb482f9430a449c4a5

SHA512
8c8fd367f8e990ae1d291b66ae34efd76dc547e53d3e80b334ce00fc05a703c9a4316025426363106f614ecf64567bb98b918ab019ed084ba47e06f634c397f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
195KB

MD5
95b6db47d83e1c43fe0a6dfa89b6cf4c

SHA1
ce67c5f379dca2775815dba04875bee40dcc8c14

SHA256
c3fccdfe60a45a816f9389a8ed5678862bb151d10d58d5ed7275a7d0e3714388

SHA512
4c9df5f9d618bb0d6827ff187b0f7ba1bc7b17fb34635a84a37353837b5afc6c0c4ff0c913608edb6ec478c540d79084fe2aaa15f45628ab4a53938a223dbbe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
196KB

MD5
b0949b14d1ae9196d12eaccaa0b62107

SHA1
4acd9a8d1411037d73667808f243572d2239c436

SHA256
295f8c8bb8e6a16f72874ca3bffdf21b7f4050cdab3bdc1bf055f6a86ce3ea95

SHA512
b25bcaa9dcb3491a98c799d3281fc88988fec2d6a50c2c127c89a5fea789ec657ab3da53ce54b3f1dd40d33c7f415935bc57b101c23b07d7298864c9047cc906

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
196KB

MD5
5b2120b15b094ab218e799bfff61dc14

SHA1
e28431d7b6e4b553a5d1d16ec3b8f97e4c99e3e9

SHA256
890825362b7fc3c0d04d28220a0448db13ed45caf20fb07e24cad7cfc89b8af5

SHA512
9e7938223631f324d5b7729f0957a9369d864df6d1ef8075419c626b5873e81a39775cb6a2e1a08d8da66b3f444f2eb6699c6b9dee076fdb2a8feacc590eb49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
197KB

MD5
2b86d39053fc6e56bd766e03b26a52c0

SHA1
ef3dc18b0959019ac4501feb955921fb0053907f

SHA256
a0c4e58373a32071c13ea9d822f62773b50746a310cd371e425a2156963e0548

SHA512
b156b87ba767de35d4be1738eebd393fc584c2294f529834f20d63d5179c6b198925c68b94af63243bc667fd5f87792886af2225c1f3d7933e311b75ad1bc173

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

Filesize
4KB

MD5
b8fb107bd13db98220f268c8934f9966

SHA1
9ae449edd077dbe9fc765619a318359a03284b18

SHA256
54319cb0aa82dc67dffada8af6e5fdb235b0c27575f4c7ddfe7a6f834243d3eb

SHA512
af996421da8f6655c62693db73770777b981334e368c0a288b8e7ba5dc20577adc7605336cb0a1d65ae41f0e4cae09e572ccf657c9c35aed679b0ccf17e1941d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
602B

MD5
0825ec6a09536f14e8557ab705b15311

SHA1
190dcc62a18cba35768975e4bae10ce474e60311

SHA256
4c0b96a9cae32bfa2d4b5c86ef2cedcfba8022d9f3c78eb7839ab2f3626f6a44

SHA512
caf44bce3f214cb0ec524afee15ba26abe0d6e4a4fb18dbddc041b3b3f82a4f8571be141e1b878336fd482651718f703d1484eaaa3ab363749bec21c7804cfb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
746B

MD5
2348d59f06fc4acfcf155b63652e1941

SHA1
bf5e21057d7cda2d5d0a438d0b55c03f2118c54d

SHA256
32958e2215dee6929814cc718b731dd78c5b4ac4a10d049a94aca65216c48a84

SHA512
90cfe0bb07083e8e1ac83e40cb2a3ea5180f8cd71214bf74f308f7d1ac61fc4cb71a789f218bb345a47c38be3bef3e82b7be3e191431d2b6785d2f1b315c1b44

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\active\56867D583A2FA389E2D57CA8B5CD51DE2F057836.dat

Filesize
28KB

MD5
b08c182298e939f699249170531c263f

SHA1
a67791cda6de8aa1bdefc71d2b7e028b1293b7a3

SHA256
cd8c07bd28d8179fd87264cbc7ff06a9d3b93bcd6f379a8dbf3fde028e746f4d

SHA512
3847aa4f874ac802ffb37a85a40cfafb261f20aa8aa0249753458c6efceb5b7356404ae9ba2c0bb6ca5ad3b46ceca771404de607cfad8d7c6ed0f4e737b15716

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\init.xml

Filesize
348B

MD5
0e643d8a669bdea52bd5e3b7889483bb

SHA1
dfb1041773993baef4bfba15a9096060b258f069

SHA256
c4e36154f5b170f32150568a69d668ba4bb6067d781b8b076e2996400bd37316

SHA512
633dc74ce51fbb71d073d540365162ca9665260a86a89fcdd574327c68bd320c8fce28368c4818a52260bf2b8abcabfab58446eac466ce1adf88ed1386e59b66

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\launch.log

Filesize
1KB

MD5
a4df61bee9e4eb3ae802c615b1447aeb

SHA1
9fac952371b51a0f341c12d6fe806158672061d2

SHA256
8a20408b0643726829d334451f8fa6b86f2de29eb82a0159f12f1bdd63338abe

SHA512
4830910c8972246c0ed2bc83c04b186095201b4a474d71d689cfe5e3d0f79cf17f49817799874587db9066e95b28c7d6834f3dc7ce13cf5c719edb65f8cfa99d

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\launch.log

Filesize
3KB

MD5
928f1e880eeba154c2ba816b478a94b6

SHA1
683bfcd19c607cba586ae855521e2a1e6921d20a

SHA256
6cb4e9d8523a4b948c07f8a7e58e7bd7b961e1929aff62635cdbfc0065a2ae5f

SHA512
ecee85eb546cbbf79bed2b6e0e7844b8f3cb73921f40068ca65b3468d6d48788fd2ac89eb98baf2f263a2cba57470f82a07a57ba53c85819ed38a3a7c2ad5838

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\launch.log

Filesize
5KB

MD5
14099e236d1536336d5d75056bccf5f4

SHA1
4d8fcf1139c7ab51e4734b47ce770214a56e2eb6

SHA256
35133510ed9b41e6878a8f1497a5838f322f6faec5a5c6096a383a2efeefd62e

SHA512
3a5cf3fa8dea5bde0b0572543fec90cf47a1a14af0b98bc3b985a653e4615ec3dcd9f5a0f6f4e6797fe72284e68cdbdac49548326b22a2d77d0676c27beb326d

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\torrents\AZU3615862072053537434.tmp

Filesize
28KB

MD5
cadd1d3521af856893bde2a1db1804b1

SHA1
a0a9f1a3b729af16555972302e75035776c111b7

SHA256
ce03e50d68c97ce903cce1d337b8b45d5df43cbf5fdb15fec4b19ea55242ad76

SHA512
503a432c79ba9970f38cc5aa8e5f99e9b11ddd862badfd22050db0d65780b87688d286dfab3164dfeb86d5a03f8260c251a021b4e76ae47060fb3853e6dab6e4

Download Submit
C:\Windows\Installer\MSID7F2.tmp

Filesize
202KB

MD5
9f84d910602183954bed6d9660600783

SHA1
82e3b122dc63e0a333bca531dd16667d5fafbf23

SHA256
bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e

SHA512
09fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9

Download Submit
C:\Windows\Installer\f76d281.msi

Filesize
155KB

MD5
55d7e66e49c3994eb5e1004a5efd22b1

SHA1
aa8a045dc0c161e95804f76efe27f1f572072fa8

SHA256
0a833d92b4d4aa068b0cb256b87c0d3495c3cc4a021be86c072095fee467b379

SHA512
2492ca442c4f6aab1f085a54bbbc1a95b836f033f1c8748fa6c3873997a397020baedfc1f661d751afe30ade3ab14b66a676a4731696b6c90c5c3adfa6c2bd2b

Download Submit
C:\Windows\ZonaUpdater.log

Filesize
2KB

MD5
636aa840c4e9c02ff8376339d17bd5da

SHA1
4a208a53009463c40bde474773d78e13d88117c1

SHA256
07981708122db8cbab75ba98cb54452db73b276da3fac1b97f2f33097d4109f9

SHA512
349a5d2e5b0450bf499a1b057facef8cf4daaeb983156fc8bfbdb67a7d1ae3133ec4e613f8152301170cc873cbb228b36f8bfead7e54ed157780bf7488320168

Download Submit
C:\Windows\ZonaUpdater.log

Filesize
2KB

MD5
0a18014de8ce2f379791413577bc4a96

SHA1
f63a8caa248d07ee0a30a07d1120f71bbc497f3a

SHA256
e2bf33b453b44f97be15aa18ab810419cc244cb835d21457e6861d4460768576

SHA512
aa7738390e357eee48c663f88073f0f89876fdbbdc888ea856545a6455d285e8fe062b9b68911b2ce7a3dd69b8019826f92929fcfc854dc2cce354db4b0813c5

Download Submit
C:\Windows\ZonaUpdater.log

Filesize
2KB

MD5
4e31710dcc7a2be126f507568dc1de34

SHA1
5b9908239de7638cac3da41dd081d4a4d54ddf34

SHA256
58777d6ad2b47ffe5fae677f33483c07cfb66171dc5b63ad3977ade17f547e64

SHA512
d445fbdbd5f58db79d3c245db19896321693089ea17f1aa8f4541d15a05d2b050d48905a9fb6bb20622977e252a9b55413658bab125842605a0cfaa9db3ede64

Download Submit
\Program Files (x86)\Java\jre7\bin\java.dll

Filesize
117KB

MD5
a258a133f7d565600647a248ab95792c

SHA1
1c6a855ca1fc04413b906b0b17609eff38317161

SHA256
81ad5696a6fcad89127fc7a428636d431b446ff1ee0c37bf87e8d513a8bae7af

SHA512
bf9dd97947eb0c71243ae28255af54b06d9e17af7ade666538dd93f9fdf6d8fbc3855f48bfaf6522dbd9ce3c6cff655581f092709670606d033f2321b1f4a5e7

Download Submit
\Program Files (x86)\Java\jre7\bin\javaw.exe

Filesize
171KB

MD5
64e2bb67ea740860510dcc5c2b6ffa2d

SHA1
6c5996358264624cdb4a075acc4f0b46177cd259

SHA256
844ab2231f45fad60d81770ea36d9937da9aa72cd905ce06e7471ddf9d69263b

SHA512
ed24331883ada44d8b034f5c8bc458e53234109d5cd02a27989972033f5b3305d23365106ce80be81caa16e472c14c103e457a1e0d138eb0d95036e58d877462

Download Submit
\Program Files (x86)\Java\jre7\bin\jpishare.dll

Filesize
138KB

MD5
4cf2dff54d2e12e3ab637fcafa7d4c9d

SHA1
dcbd0a027b8017ac396741698dfc3b3f4d1b4c39

SHA256
8ff2bc130db2f1fef2e6470adb58bcdba1d2133f9ad21ebd7d80fedd3e537e21

SHA512
a206001ceaed2df91428f1b7094246e4e7318bf4e7b19c475d4887b5eae49714ff7fa3cfab4133004a51280cf36549b73eecc87428b0b38294297545e9493e67

Download Submit
\Program Files (x86)\Java\jre7\bin\unpack200.exe

Filesize
145KB

MD5
0d46182b6134aa9c7acd16133d67e4c3

SHA1
7b5be3d65e5e744723bf55a08f9dc1042585d5eb

SHA256
c89091f2a4de2fcf10b30e54a74ec5764e2dfc0577f4f1d879ac8816e3b08bcc

SHA512
735b6c6bd69b22a71c15ae44c6fa1693700321dc3b4b2367ce05d5c37df62e45d1d3836c2c0f5e44be1036aeb11a533c2a4dbec55163b4a15adfa1c8ef75673b

Download Submit
\Program Files (x86)\Java\jre7\bin\verify.dll

Filesize
38KB

MD5
cb89b1d71061f5ec52468528ecc0b1fc

SHA1
6feb23a8b5719c8997de92c7da644807fcba8819

SHA256
87d8d59972e73700507c07cee8750b0053c6a0899410338722a00c2803d39ee6

SHA512
2ff0ed38c7f28eb7ea16f24a0841dfb3306c4fec48ded5fddec8c3140f1a425433a444fe6b6cc4c17b3a39841c8ab0c23d7c9525c119c1b9d6daac2c17a4e4b0

Download Submit
\Users\Admin\AppData\Local\Temp\javaSetup.exe

Filesize
28.1MB

MD5
f2fd417b6d5c7ffc501c7632cc811c3e

SHA1
305c1493fca53ab63ba1686c9afdfb65142e59d3

SHA256
a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9

SHA512
289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b

Download Submit
memory/760-1533-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1623-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1985-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1970-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1891-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1883-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1878-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1870-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1844-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1823-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/760-1821-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1463-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1477-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1818-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1490-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1502-0x0000000005370000-0x00000000053E0000-memory.dmp

Filesize
448KB

Download
memory/760-1507-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1517-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1525-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1815-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1562-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1812-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1554-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1811-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1683-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1750-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/760-1800-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/904-1783-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1620-1169-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1768-1256-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1768-1203-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1952-966-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1952-944-0x0000000039E00000-0x0000000039E10000-memory.dmp

Filesize
64KB

Download
memory/2152-34-0x00000000036A0000-0x00000000036F0000-memory.dmp

Filesize
320KB

Download
memory/2152-52-0x0000000000140000-0x0000000000190000-memory.dmp

Filesize
320KB

Download
memory/2152-0-0x0000000000140000-0x0000000000190000-memory.dmp

Filesize
320KB

Download
memory/2152-1335-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2236-996-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2236-1080-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2236-995-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2236-1114-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2556-920-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2596-1488-0x0000000000140000-0x0000000000190000-memory.dmp

Filesize
320KB

Download
memory/2596-56-0x0000000000140000-0x0000000000190000-memory.dmp

Filesize
320KB

Download
memory/2808-1388-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2924-1325-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download