40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ZonaUpdater.exe

Executes dropped EXE 30 IoCs

pid	Process
2808	javaSetup.exe
4488	unpack200.exe
60	unpack200.exe
1012	unpack200.exe
1964	unpack200.exe
4584	unpack200.exe
872	unpack200.exe
4908	unpack200.exe
3648	unpack200.exe
3888	javaw.exe
6060	javaws.exe
6080	javaw.exe
228	jp2launcher.exe
2316	javaw.exe
380	javaw.exe
5764	Zona.exe
5896	javaw.exe
6048	Zona.exe
6128	javaw.exe
4372	ZonaUpdater.exe
5440	javaw.exe
6140	ZONAUP~1.EXE
2432	Zona.exe
4408	javaw.exe
5564	Zona.exe
5512	javaw.exe
4740	Zona.exe
824	javaw.exe
2324	Zona.exe
4944	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
5056	MsiExec.exe
740	MsiExec.exe
4488	unpack200.exe
60	unpack200.exe
1012	unpack200.exe
1964	unpack200.exe
4584	unpack200.exe
872	unpack200.exe
4908	unpack200.exe
3648	unpack200.exe
3888	javaw.exe
3888	javaw.exe
3888	javaw.exe
3888	javaw.exe
3888	javaw.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
6060	javaws.exe
6080	javaw.exe
6080	javaw.exe
6080	javaw.exe
6080	javaw.exe
6080	javaw.exe
228	jp2launcher.exe
228	jp2launcher.exe
228	jp2launcher.exe
228	jp2launcher.exe
228	jp2launcher.exe
228	jp2launcher.exe
228	jp2launcher.exe
228	jp2launcher.exe
228	jp2launcher.exe
228	jp2launcher.exe
2316	javaw.exe
2316	javaw.exe
2316	javaw.exe
2316	javaw.exe
2316	javaw.exe
380	javaw.exe
380	javaw.exe
380	javaw.exe
380	javaw.exe
380	javaw.exe
5896	javaw.exe
5896	javaw.exe
5896	javaw.exe
5896	javaw.exe
5896	javaw.exe
6128	javaw.exe
6128	javaw.exe
6128	javaw.exe
6128	javaw.exe
6128	javaw.exe
6048	Zona.exe
6048	Zona.exe
6048	Zona.exe
6048	Zona.exe
6048	Zona.exe
6048	Zona.exe
6048	Zona.exe
6048	Zona.exe
6048	Zona.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zona = "C:\\Program Files (x86)\\Zona\\Zona.exe /MINIMIZED"	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
53	1368	msiexec.exe
55	1368	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	MsiExec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
109	checkip.dyndns.org

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\javaw.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	MsiExec.exe
File created	C:\Windows\SysWOW64\javaws.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\java.exe	MsiExec.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2160-0-0x00000000003E0000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2160-48-0x00000000003E0000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/468-49-0x00000000003E0000-0x0000000000430000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Anadyr	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\YST9YDT	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\kinit.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\currency.data	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\logging.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Vevay	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\North_Dakota\Beulah	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Recife	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Reunion	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\CST6CDT	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Stockholm	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Easter	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\client\classes.jsa	javaw.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Abidjan	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Merida	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Hobart	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Amsterdam	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\client\Xusage.txt	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\dt_shmem.dll	MsiExec.exe
File created	C:\Program Files (x86)\Zona\Zona.jar	javaw.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jdwp.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Adak	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Kolkata	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\CET	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\CST6	MsiExec.exe
File created	C:\Program Files (x86)\Zona\README.txt	javaw.exe
File created	C:\Program Files (x86)\Java\jre7\lib\security\US_export_policy.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Yakutsk	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Simferopol	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Chuuk	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\fontmanager.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\javaws.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\cmm\CIEXYZ.pf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\ext\jaccess.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Denver	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Kuching	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Tashkent	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\EST5EDT	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\YST9	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\Welcome.html	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jfxmedia.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\psfontj2d.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Oslo	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Mexico_City	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\tnameserv.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Tunis	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Antigua	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Tell_City	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Berlin	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Helsinki	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Almaty	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Krasnoyarsk	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Winamac	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Riyadh88	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Cocos	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Funafuti	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\hprof.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jpioji.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\keytool.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Tucuman	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+6	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe	MsiExec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6B4.tmp	msiexec.exe
File created	C:\Windows\hsperfdata_Admin\5440	javaw.exe
File opened for modification	C:\Windows\Installer\e57fcde.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57fce2.msi	msiexec.exe
File opened for modification	C:\Windows\ZonaUpdater.log	ZonaUpdater.exe
File opened for modification	C:\Windows\ZonaUpdater.log	ZONAUP~1.EXE
File created	C:\Windows\Installer\e57fcde.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F03217080FF}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27D.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jp2launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZonaUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZONAUP~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "43174048"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_86"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_14"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0032-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_32"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_30"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_09"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_39"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_11"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_57"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_66"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_64"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_55"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_82"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_37"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBB}	MsiExec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Zona\shell\open\command	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_39"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_17"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled\CLSID\ = "{5852F5ED-8BF4-11D4-A245-0080C6F74284}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_30"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_13"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DHT\shell\open\command\ = "\"C:\\PROGRA~2\\Zona\\Zona.exe\" \"%1\""	Zona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_17"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_53"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}\Shell\Open\Command	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_40"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_03"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_78"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
228	jp2launcher.exe
228	jp2launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3588	msiexec.exe
Token: SeSecurityPrivilege	1368	msiexec.exe
Token: SeCreateTokenPrivilege	3588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3588	msiexec.exe
Token: SeLockMemoryPrivilege	3588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3588	msiexec.exe
Token: SeMachineAccountPrivilege	3588	msiexec.exe
Token: SeTcbPrivilege	3588	msiexec.exe
Token: SeSecurityPrivilege	3588	msiexec.exe
Token: SeTakeOwnershipPrivilege	3588	msiexec.exe
Token: SeLoadDriverPrivilege	3588	msiexec.exe
Token: SeSystemProfilePrivilege	3588	msiexec.exe
Token: SeSystemtimePrivilege	3588	msiexec.exe
Token: SeProfSingleProcessPrivilege	3588	msiexec.exe
Token: SeIncBasePriorityPrivilege	3588	msiexec.exe
Token: SeCreatePagefilePrivilege	3588	msiexec.exe
Token: SeCreatePermanentPrivilege	3588	msiexec.exe
Token: SeBackupPrivilege	3588	msiexec.exe
Token: SeRestorePrivilege	3588	msiexec.exe
Token: SeShutdownPrivilege	3588	msiexec.exe
Token: SeDebugPrivilege	3588	msiexec.exe
Token: SeAuditPrivilege	3588	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3588	msiexec.exe
Token: SeChangeNotifyPrivilege	3588	msiexec.exe
Token: SeRemoteShutdownPrivilege	3588	msiexec.exe
Token: SeUndockPrivilege	3588	msiexec.exe
Token: SeSyncAgentPrivilege	3588	msiexec.exe
Token: SeEnableDelegationPrivilege	3588	msiexec.exe
Token: SeManageVolumePrivilege	3588	msiexec.exe
Token: SeImpersonatePrivilege	3588	msiexec.exe
Token: SeCreateGlobalPrivilege	3588	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
6048	Zona.exe
6048	Zona.exe
6048	Zona.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
6048	Zona.exe
6048	Zona.exe
6048	Zona.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
228	jp2launcher.exe
6048	Zona.exe
6048	Zona.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 4496	2160	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	84
PID 2160 wrote to memory of 4496	2160	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	84
PID 2160 wrote to memory of 4496	2160	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	84
PID 2160 wrote to memory of 468	2160	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	89
PID 2160 wrote to memory of 468	2160	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	89
PID 2160 wrote to memory of 468	2160	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	89
PID 468 wrote to memory of 2808	468	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	91
PID 468 wrote to memory of 2808	468	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	91
PID 468 wrote to memory of 2808	468	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	91
PID 2808 wrote to memory of 3588	2808	javaSetup.exe	92
PID 2808 wrote to memory of 3588	2808	javaSetup.exe	92
PID 2808 wrote to memory of 3588	2808	javaSetup.exe	92
PID 1368 wrote to memory of 5056	1368	msiexec.exe	94
PID 1368 wrote to memory of 5056	1368	msiexec.exe	94
PID 1368 wrote to memory of 5056	1368	msiexec.exe	94
PID 1368 wrote to memory of 740	1368	msiexec.exe	95
PID 1368 wrote to memory of 740	1368	msiexec.exe	95
PID 1368 wrote to memory of 740	1368	msiexec.exe	95
PID 740 wrote to memory of 4488	740	MsiExec.exe	96
PID 740 wrote to memory of 4488	740	MsiExec.exe	96
PID 740 wrote to memory of 4488	740	MsiExec.exe	96
PID 740 wrote to memory of 60	740	MsiExec.exe	99
PID 740 wrote to memory of 60	740	MsiExec.exe	99
PID 740 wrote to memory of 60	740	MsiExec.exe	99
PID 740 wrote to memory of 1012	740	MsiExec.exe	100
PID 740 wrote to memory of 1012	740	MsiExec.exe	100
PID 740 wrote to memory of 1012	740	MsiExec.exe	100
PID 740 wrote to memory of 1964	740	MsiExec.exe	101
PID 740 wrote to memory of 1964	740	MsiExec.exe	101
PID 740 wrote to memory of 1964	740	MsiExec.exe	101
PID 740 wrote to memory of 4584	740	MsiExec.exe	103
PID 740 wrote to memory of 4584	740	MsiExec.exe	103
PID 740 wrote to memory of 4584	740	MsiExec.exe	103
PID 740 wrote to memory of 872	740	MsiExec.exe	104
PID 740 wrote to memory of 872	740	MsiExec.exe	104
PID 740 wrote to memory of 872	740	MsiExec.exe	104
PID 740 wrote to memory of 4908	740	MsiExec.exe	105
PID 740 wrote to memory of 4908	740	MsiExec.exe	105
PID 740 wrote to memory of 4908	740	MsiExec.exe	105
PID 740 wrote to memory of 3648	740	MsiExec.exe	106
PID 740 wrote to memory of 3648	740	MsiExec.exe	106
PID 740 wrote to memory of 3648	740	MsiExec.exe	106
PID 740 wrote to memory of 3888	740	MsiExec.exe	107
PID 740 wrote to memory of 3888	740	MsiExec.exe	107
PID 740 wrote to memory of 3888	740	MsiExec.exe	107
PID 6060 wrote to memory of 6080	6060	javaws.exe	110
PID 6060 wrote to memory of 6080	6060	javaws.exe	110
PID 6060 wrote to memory of 6080	6060	javaws.exe	110
PID 6060 wrote to memory of 228	6060	javaws.exe	111
PID 6060 wrote to memory of 228	6060	javaws.exe	111
PID 6060 wrote to memory of 228	6060	javaws.exe	111
PID 468 wrote to memory of 2316	468	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	113
PID 468 wrote to memory of 2316	468	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	113
PID 468 wrote to memory of 2316	468	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	113
PID 468 wrote to memory of 380	468	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	114
PID 468 wrote to memory of 380	468	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	114
PID 468 wrote to memory of 380	468	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	114
PID 2160 wrote to memory of 5764	2160	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	115
PID 2160 wrote to memory of 5764	2160	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	115
PID 2160 wrote to memory of 5764	2160	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	115
PID 5764 wrote to memory of 5896	5764	Zona.exe	116
PID 5764 wrote to memory of 5896	5764	Zona.exe	116
PID 5764 wrote to memory of 5896	5764	Zona.exe	116
PID 2160 wrote to memory of 6048	2160	40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe	117

C:\Users\Admin\AppData\Local\Temp\40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
"C:\Users\Admin\AppData\Local\Temp\40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4496
- C:\Users\Admin\AppData\Local\Temp\40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
  "C:\Users\Admin\AppData\Local\Temp\40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe" /asService
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Users\Admin\AppData\Local\Temp\javaSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3588
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\Zona.7z" "C:\Program Files (x86)\Zona"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\appdata.7z" "C:\Users\Admin\AppData\Roaming\Zona"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:380
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" /copydll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5764
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5896
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" --readInitFile
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:6048
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:6128
- - C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZonaUpdater.exe
    C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZonaUpdater.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4372
  - - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
      "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\zupdater.ext.jar" ru.zona.plugins.zupdater.ext.Main update
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5440
  - - C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZONAUP~1.EXE
      "C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZONAUP~1.EXE" /asService /logPath "C:\Windows\ZonaUpdater.log"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:6140
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4316
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" /copydll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2432
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4408
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" --readInitFile
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5564
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5512
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5324
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" /copydll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4740
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:824
- C:\Program Files (x86)\Zona\Zona.exe
  "C:\Program Files (x86)\Zona\Zona.exe" --readInitFile
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2324
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4944
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5304

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3130D11A59CBEEF5899D8B106C213716
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5056
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 408A59A752B3DB416A881395AA4D17A0 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4488
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:60
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1012
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1964
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4584
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:872
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4908
- - C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3648
- - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3888
- - C:\Program Files (x86)\Java\jre7\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:6060
  - - C:\Program Files (x86)\Java\jre7\bin\javaw.exe
      "C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:6080
  - - C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery