Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 05:54
Behavioral task
behavioral1
Sample
40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
Resource
win7-20240708-en
General
-
Target
40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe
-
Size
129KB
-
MD5
17ddfe4a848a8710ad64af3f4244e050
-
SHA1
166cb2b4aa76e9328ea09b5b6b3fbac5ef2604cd
-
SHA256
40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382
-
SHA512
b8f118e5a8127eef7aa531e00d1c46a129c8f64746e0902964179cd4fb8c00d69750b0940493bcbbce6f66f0d13b7d6d7443baf47092e574e1317c861fa49675
-
SSDEEP
3072:qOiyDxsHWq7IVNuutVY4t3hMafrZknlOwzmwNCdscout0QVp:5DDxsHnIJVY41hx9wtCdscoS0QL
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ZonaUpdater.exe -
Executes dropped EXE 30 IoCs
pid Process 2808 javaSetup.exe 4488 unpack200.exe 60 unpack200.exe 1012 unpack200.exe 1964 unpack200.exe 4584 unpack200.exe 872 unpack200.exe 4908 unpack200.exe 3648 unpack200.exe 3888 javaw.exe 6060 javaws.exe 6080 javaw.exe 228 jp2launcher.exe 2316 javaw.exe 380 javaw.exe 5764 Zona.exe 5896 javaw.exe 6048 Zona.exe 6128 javaw.exe 4372 ZonaUpdater.exe 5440 javaw.exe 6140 ZONAUP~1.EXE 2432 Zona.exe 4408 javaw.exe 5564 Zona.exe 5512 javaw.exe 4740 Zona.exe 824 javaw.exe 2324 Zona.exe 4944 javaw.exe -
Loads dropped DLL 64 IoCs
pid Process 5056 MsiExec.exe 740 MsiExec.exe 4488 unpack200.exe 60 unpack200.exe 1012 unpack200.exe 1964 unpack200.exe 4584 unpack200.exe 872 unpack200.exe 4908 unpack200.exe 3648 unpack200.exe 3888 javaw.exe 3888 javaw.exe 3888 javaw.exe 3888 javaw.exe 3888 javaw.exe 740 MsiExec.exe 740 MsiExec.exe 740 MsiExec.exe 740 MsiExec.exe 6060 javaws.exe 6080 javaw.exe 6080 javaw.exe 6080 javaw.exe 6080 javaw.exe 6080 javaw.exe 228 jp2launcher.exe 228 jp2launcher.exe 228 jp2launcher.exe 228 jp2launcher.exe 228 jp2launcher.exe 228 jp2launcher.exe 228 jp2launcher.exe 228 jp2launcher.exe 228 jp2launcher.exe 228 jp2launcher.exe 2316 javaw.exe 2316 javaw.exe 2316 javaw.exe 2316 javaw.exe 2316 javaw.exe 380 javaw.exe 380 javaw.exe 380 javaw.exe 380 javaw.exe 380 javaw.exe 5896 javaw.exe 5896 javaw.exe 5896 javaw.exe 5896 javaw.exe 5896 javaw.exe 6128 javaw.exe 6128 javaw.exe 6128 javaw.exe 6128 javaw.exe 6128 javaw.exe 6048 Zona.exe 6048 Zona.exe 6048 Zona.exe 6048 Zona.exe 6048 Zona.exe 6048 Zona.exe 6048 Zona.exe 6048 Zona.exe 6048 Zona.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zona = "C:\\Program Files (x86)\\Zona\\Zona.exe /MINIMIZED" 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 53 1368 msiexec.exe 55 1368 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" MsiExec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 109 checkip.dyndns.org -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\java.exe MsiExec.exe File created C:\Windows\SysWOW64\javaw.exe MsiExec.exe File created C:\Windows\SysWOW64\WindowsAccessBridge-32.dll MsiExec.exe File created C:\Windows\SysWOW64\javaws.exe MsiExec.exe File created C:\Windows\SysWOW64\java.exe MsiExec.exe -
resource yara_rule behavioral2/memory/2160-0-0x00000000003E0000-0x0000000000430000-memory.dmp upx behavioral2/memory/2160-48-0x00000000003E0000-0x0000000000430000-memory.dmp upx behavioral2/memory/468-49-0x00000000003E0000-0x0000000000430000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Anadyr MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\YST9YDT MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\kinit.exe MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\currency.data MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\logging.properties MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Vevay MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\North_Dakota\Beulah MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Recife MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Reunion MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\CST6CDT MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Stockholm MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Easter MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\client\classes.jsa javaw.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Abidjan MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Merida MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Hobart MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Amsterdam MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\client\Xusage.txt MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\dt_shmem.dll MsiExec.exe File created C:\Program Files (x86)\Zona\Zona.jar javaw.exe File created C:\Program Files (x86)\Java\jre7\bin\jdwp.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Adak MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Kolkata MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\CET MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\CST6 MsiExec.exe File created C:\Program Files (x86)\Zona\README.txt javaw.exe File created C:\Program Files (x86)\Java\jre7\lib\security\US_export_policy.jar MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Yakutsk MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Simferopol MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Chuuk MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\fontmanager.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\javaws.exe MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\cmm\CIEXYZ.pf MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\ext\jaccess.jar MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Denver MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Kuching MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Tashkent MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\EST5EDT MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\YST9 MsiExec.exe File created C:\Program Files (x86)\Java\jre7\Welcome.html MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\jfxmedia.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\psfontj2d.properties MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Oslo MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Mexico_City MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\tnameserv.exe MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Tunis MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Antigua MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Tell_City MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Berlin MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Helsinki MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\i386\jvm.cfg MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Almaty MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Krasnoyarsk MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana\Winamac MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Riyadh88 MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Cocos MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Funafuti MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\hprof.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\jpioji.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\keytool.exe MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Tucuman MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+6 MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe MsiExec.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI6B4.tmp msiexec.exe File created C:\Windows\hsperfdata_Admin\5440 javaw.exe File opened for modification C:\Windows\Installer\e57fcde.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e57fce2.msi msiexec.exe File opened for modification C:\Windows\ZonaUpdater.log ZonaUpdater.exe File opened for modification C:\Windows\ZonaUpdater.log ZONAUP~1.EXE File created C:\Windows\Installer\e57fcde.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F03217080FF} msiexec.exe File opened for modification C:\Windows\Installer\MSI27D.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jp2launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zona.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZonaUpdater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZONAUP~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zona.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zona.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaws.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unpack200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zona.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zona.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zona.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msiexec.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "43174048" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024" MsiExec.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_86" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_14" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0032-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_32" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_30" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBC} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_09" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_39" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_11" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_57" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_66" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_64" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_55" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_82" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_37" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBB} MsiExec.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Zona\shell\open\command 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_39" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_17" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled\CLSID\ = "{5852F5ED-8BF4-11D4-A245-0080C6F74284}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_30" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_13" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBC} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBA} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DHT\shell\open\command\ = "\"C:\\PROGRA~2\\Zona\\Zona.exe\" \"%1\"" Zona.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_17" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBA} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBC} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_53" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBB} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}\Shell\Open\Command MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBB} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_40" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_03" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_78" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 228 jp2launcher.exe 228 jp2launcher.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3588 msiexec.exe Token: SeIncreaseQuotaPrivilege 3588 msiexec.exe Token: SeSecurityPrivilege 1368 msiexec.exe Token: SeCreateTokenPrivilege 3588 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3588 msiexec.exe Token: SeLockMemoryPrivilege 3588 msiexec.exe Token: SeIncreaseQuotaPrivilege 3588 msiexec.exe Token: SeMachineAccountPrivilege 3588 msiexec.exe Token: SeTcbPrivilege 3588 msiexec.exe Token: SeSecurityPrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeLoadDriverPrivilege 3588 msiexec.exe Token: SeSystemProfilePrivilege 3588 msiexec.exe Token: SeSystemtimePrivilege 3588 msiexec.exe Token: SeProfSingleProcessPrivilege 3588 msiexec.exe Token: SeIncBasePriorityPrivilege 3588 msiexec.exe Token: SeCreatePagefilePrivilege 3588 msiexec.exe Token: SeCreatePermanentPrivilege 3588 msiexec.exe Token: SeBackupPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeShutdownPrivilege 3588 msiexec.exe Token: SeDebugPrivilege 3588 msiexec.exe Token: SeAuditPrivilege 3588 msiexec.exe Token: SeSystemEnvironmentPrivilege 3588 msiexec.exe Token: SeChangeNotifyPrivilege 3588 msiexec.exe Token: SeRemoteShutdownPrivilege 3588 msiexec.exe Token: SeUndockPrivilege 3588 msiexec.exe Token: SeSyncAgentPrivilege 3588 msiexec.exe Token: SeEnableDelegationPrivilege 3588 msiexec.exe Token: SeManageVolumePrivilege 3588 msiexec.exe Token: SeImpersonatePrivilege 3588 msiexec.exe Token: SeCreateGlobalPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 6048 Zona.exe 6048 Zona.exe 6048 Zona.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 6048 Zona.exe 6048 Zona.exe 6048 Zona.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 228 jp2launcher.exe 6048 Zona.exe 6048 Zona.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 4496 2160 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 84 PID 2160 wrote to memory of 4496 2160 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 84 PID 2160 wrote to memory of 4496 2160 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 84 PID 2160 wrote to memory of 468 2160 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 89 PID 2160 wrote to memory of 468 2160 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 89 PID 2160 wrote to memory of 468 2160 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 89 PID 468 wrote to memory of 2808 468 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 91 PID 468 wrote to memory of 2808 468 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 91 PID 468 wrote to memory of 2808 468 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 91 PID 2808 wrote to memory of 3588 2808 javaSetup.exe 92 PID 2808 wrote to memory of 3588 2808 javaSetup.exe 92 PID 2808 wrote to memory of 3588 2808 javaSetup.exe 92 PID 1368 wrote to memory of 5056 1368 msiexec.exe 94 PID 1368 wrote to memory of 5056 1368 msiexec.exe 94 PID 1368 wrote to memory of 5056 1368 msiexec.exe 94 PID 1368 wrote to memory of 740 1368 msiexec.exe 95 PID 1368 wrote to memory of 740 1368 msiexec.exe 95 PID 1368 wrote to memory of 740 1368 msiexec.exe 95 PID 740 wrote to memory of 4488 740 MsiExec.exe 96 PID 740 wrote to memory of 4488 740 MsiExec.exe 96 PID 740 wrote to memory of 4488 740 MsiExec.exe 96 PID 740 wrote to memory of 60 740 MsiExec.exe 99 PID 740 wrote to memory of 60 740 MsiExec.exe 99 PID 740 wrote to memory of 60 740 MsiExec.exe 99 PID 740 wrote to memory of 1012 740 MsiExec.exe 100 PID 740 wrote to memory of 1012 740 MsiExec.exe 100 PID 740 wrote to memory of 1012 740 MsiExec.exe 100 PID 740 wrote to memory of 1964 740 MsiExec.exe 101 PID 740 wrote to memory of 1964 740 MsiExec.exe 101 PID 740 wrote to memory of 1964 740 MsiExec.exe 101 PID 740 wrote to memory of 4584 740 MsiExec.exe 103 PID 740 wrote to memory of 4584 740 MsiExec.exe 103 PID 740 wrote to memory of 4584 740 MsiExec.exe 103 PID 740 wrote to memory of 872 740 MsiExec.exe 104 PID 740 wrote to memory of 872 740 MsiExec.exe 104 PID 740 wrote to memory of 872 740 MsiExec.exe 104 PID 740 wrote to memory of 4908 740 MsiExec.exe 105 PID 740 wrote to memory of 4908 740 MsiExec.exe 105 PID 740 wrote to memory of 4908 740 MsiExec.exe 105 PID 740 wrote to memory of 3648 740 MsiExec.exe 106 PID 740 wrote to memory of 3648 740 MsiExec.exe 106 PID 740 wrote to memory of 3648 740 MsiExec.exe 106 PID 740 wrote to memory of 3888 740 MsiExec.exe 107 PID 740 wrote to memory of 3888 740 MsiExec.exe 107 PID 740 wrote to memory of 3888 740 MsiExec.exe 107 PID 6060 wrote to memory of 6080 6060 javaws.exe 110 PID 6060 wrote to memory of 6080 6060 javaws.exe 110 PID 6060 wrote to memory of 6080 6060 javaws.exe 110 PID 6060 wrote to memory of 228 6060 javaws.exe 111 PID 6060 wrote to memory of 228 6060 javaws.exe 111 PID 6060 wrote to memory of 228 6060 javaws.exe 111 PID 468 wrote to memory of 2316 468 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 113 PID 468 wrote to memory of 2316 468 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 113 PID 468 wrote to memory of 2316 468 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 113 PID 468 wrote to memory of 380 468 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 114 PID 468 wrote to memory of 380 468 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 114 PID 468 wrote to memory of 380 468 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 114 PID 2160 wrote to memory of 5764 2160 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 115 PID 2160 wrote to memory of 5764 2160 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 115 PID 2160 wrote to memory of 5764 2160 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 115 PID 5764 wrote to memory of 5896 5764 Zona.exe 116 PID 5764 wrote to memory of 5896 5764 Zona.exe 116 PID 5764 wrote to memory of 5896 5764 Zona.exe 116 PID 2160 wrote to memory of 6048 2160 40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe"C:\Users\Admin\AppData\Local\Temp\40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\cscript.execscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs2⤵
- System Location Discovery: System Language Discovery
PID:4496
-
-
C:\Users\Admin\AppData\Local\Temp\40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe"C:\Users\Admin\AppData\Local\Temp\40d21a625ebf655bddea1bdec61138cc0b39697a47237fc03a885b248628c382N.exe" /asService2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Users\Admin\AppData\Local\Temp\javaSetup.exe"C:\Users\Admin\AppData\Local\Temp\javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-
-
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\Zona.7z" "C:\Program Files (x86)\Zona"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2316
-
-
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Local\Temp\appdata.7z" "C:\Users\Admin\AppData\Roaming\Zona"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:380
-
-
-
C:\Program Files (x86)\Zona\Zona.exe"C:\Program Files (x86)\Zona\Zona.exe" /copydll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5764 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5896
-
-
-
C:\Program Files (x86)\Zona\Zona.exe"C:\Program Files (x86)\Zona\Zona.exe" --readInitFile2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6048 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6128
-
-
C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZonaUpdater.exeC:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZonaUpdater.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4372 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\zupdater.ext.jar" ru.zona.plugins.zupdater.ext.Main update4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5440
-
-
C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZONAUP~1.EXE"C:\Users\Admin\AppData\Roaming\Zona\plugins\zupdater\ZONAUP~1.EXE" /asService /logPath "C:\Windows\ZonaUpdater.log"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6140
-
-
-
-
C:\Windows\SysWOW64\cscript.execscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs2⤵
- System Location Discovery: System Language Discovery
PID:4316
-
-
C:\Program Files (x86)\Zona\Zona.exe"C:\Program Files (x86)\Zona\Zona.exe" /copydll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408
-
-
-
C:\Program Files (x86)\Zona\Zona.exe"C:\Program Files (x86)\Zona\Zona.exe" --readInitFile2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5564 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5512
-
-
-
C:\Windows\SysWOW64\cscript.execscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs2⤵
- System Location Discovery: System Language Discovery
PID:5324
-
-
C:\Program Files (x86)\Zona\Zona.exe"C:\Program Files (x86)\Zona\Zona.exe" /copydll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4740 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:824
-
-
-
C:\Program Files (x86)\Zona\Zona.exe"C:\Program Files (x86)\Zona\Zona.exe" --readInitFile2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4944
-
-
-
C:\Windows\SysWOW64\cscript.execscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs2⤵
- System Location Discovery: System Language Discovery
PID:5304
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3130D11A59CBEEF5899D8B106C2137162⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5056
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 408A59A752B3DB416A881395AA4D17A0 E Global\MSI00002⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4488
-
-
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:60
-
-
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012
-
-
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964
-
-
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4584
-
-
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872
-
-
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4908
-
-
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3648
-
-
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3888
-
-
C:\Program Files (x86)\Java\jre7\bin\javaws.exe"C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6060 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6080
-
-
C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe"C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:228
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD55f67c4d0cfa79bd8b748d0703a70a2ea
SHA1c4f4514d278e108d9337d88c0d4a7ab4b5755076
SHA2567b35f6658c120db4abb4f12bb31c7209baa382e4f5323560a5183b47ec458be5
SHA5122b49311fcaf2dc0d00df95ee0183653776eb642460109ff4d7402b4203e75c43b85dddcdd43bc5401e9bb0adef8348f0020f4b63df92074d4a4f3599b143f66d
-
Filesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
Filesize
95KB
MD51722510af00ea3c7406681b47bf442f7
SHA1cafac266d52d78d3743c31ebef22a894781e0de5
SHA2564010a3ec604a327861bedf01626c12eaded9d381b6e4f0e6f760895838834a21
SHA51231a2ce3d5eb9828cbb82d2a7e29f2c5bf46528d38f25827329512cedde37bd03b3cfdba0aba3320b6c0e7779588958e83bff735f6059aad37172598e70e863eb
-
Filesize
3.4MB
MD527147e1e3faf9b5ccda882cd96f2a85c
SHA17103f60121727917f812bfc7cdff5347fc17cc8e
SHA256500d359211ece211cf672de328345876f016fb4a476b2a03cbc3b8b89023ae1f
SHA5120866c604911e243687e7fe721142eb882b19691c902736b59ba304933463d8c9154ecc319b91c9771cee8139e151cc2a2e960bc7a93ed97352cf5232a0964194
-
Filesize
371KB
MD587ec9d4a00d34eb6a0f8f92e1d1cc08e
SHA1bee4ecae201905096dd44d1d348ecb3556d90832
SHA256352707a271a9ab5d0e190a539b6468d6c6c5ce9675b300acf2305aa1f30625d8
SHA5125b7f9866168ad7948a5a80078b14ff747201d17922ca907072a081e0078f6ac68446ddd36b027b4a17f5afa7d1bb4962642cff28cf66867171ebb78735f242d2
-
Filesize
864KB
MD5bc3a575dfb1a58d35e8617f2966bf1ea
SHA16353630f62e246d7f462134e8d10a7a42935e20f
SHA256c029fd3c6ffd2158d0633fc122786838a6f5d3cc7ef78bbe934697015c8c63dd
SHA512c976da30d343f8e104bec72300dc0c17e582e380f0a3ae85b242dbf2d5b40459feb4a3b7789fb8d755b21cbaa0940038d20dbbf1296a48e77b461092abbbe514
-
Filesize
117KB
MD5a258a133f7d565600647a248ab95792c
SHA11c6a855ca1fc04413b906b0b17609eff38317161
SHA25681ad5696a6fcad89127fc7a428636d431b446ff1ee0c37bf87e8d513a8bae7af
SHA512bf9dd97947eb0c71243ae28255af54b06d9e17af7ade666538dd93f9fdf6d8fbc3855f48bfaf6522dbd9ce3c6cff655581f092709670606d033f2321b1f4a5e7
-
Filesize
171KB
MD588651044108e995f9801e35d2582491c
SHA1abbf404c0253d085223a64ab947e1057c4211c9c
SHA256c7fd72a0730b377c6da5ac80cdaf5f4cca84cc999a563a4c420fe5a8576810f8
SHA512486b1d7ad7c3debcb8d70f9351adb08c8321c4cfb409a00ff818be1dacdc376a0eded630ccdc74aa99cc472589b88c9681989076fd78eb109759d33e7bf70543
-
Filesize
171KB
MD564e2bb67ea740860510dcc5c2b6ffa2d
SHA16c5996358264624cdb4a075acc4f0b46177cd259
SHA256844ab2231f45fad60d81770ea36d9937da9aa72cd905ce06e7471ddf9d69263b
SHA512ed24331883ada44d8b034f5c8bc458e53234109d5cd02a27989972033f5b3305d23365106ce80be81caa16e472c14c103e457a1e0d138eb0d95036e58d877462
-
Filesize
266KB
MD52b4493bb1f94580c41def972ea9a887e
SHA1880ca8b20c6df9a6a176b91cc50304cb0fe66d06
SHA256841339373958786d9c93a7dad5de8fd213ed6b5ad69623f5a5762a453c48e0a5
SHA512b43e54f2c1f3e0a3c3d2fcee518e47d17476bb735606351e41b49e97e10af758ea9a539ac370a2d12cffa93e3e752e829db969968664c59386f65b732c29e40e
-
Filesize
145KB
MD50d46182b6134aa9c7acd16133d67e4c3
SHA17b5be3d65e5e744723bf55a08f9dc1042585d5eb
SHA256c89091f2a4de2fcf10b30e54a74ec5764e2dfc0577f4f1d879ac8816e3b08bcc
SHA512735b6c6bd69b22a71c15ae44c6fa1693700321dc3b4b2367ce05d5c37df62e45d1d3836c2c0f5e44be1036aeb11a533c2a4dbec55163b4a15adfa1c8ef75673b
-
Filesize
38KB
MD5cb89b1d71061f5ec52468528ecc0b1fc
SHA16feb23a8b5719c8997de92c7da644807fcba8819
SHA25687d8d59972e73700507c07cee8750b0053c6a0899410338722a00c2803d39ee6
SHA5122ff0ed38c7f28eb7ea16f24a0841dfb3306c4fec48ded5fddec8c3140f1a425433a444fe6b6cc4c17b3a39841c8ab0c23d7c9525c119c1b9d6daac2c17a4e4b0
-
Filesize
159KB
MD5958bc8d82e4d0a5b51536bb4fc4fb6d6
SHA1626312fa01c72ec5c85c9262ba0ae97a8b1f5b25
SHA2562ef891881d506084ed182a0ac58b10dbe8c45877ef889ac9105f19431beee4ca
SHA512fe17b58e3eed817619bebf6d091aee99fdc331c9c5a4163e9f5993b41b2e7362365da210e0636755ada6b8838012de1bc5435b8670aa12f378a3c9e3a9f5af04
-
Filesize
66KB
MD51ecf056944068b933ba71cda3edc4a68
SHA12052b2138db0d9a368942470b41bb6fc5b1d4007
SHA25635ce7ab154a38e97951714e17f7689873d89e8c01188de6e5cd741bc0ca3e384
SHA512cadf312841d392a9970cc068b72063e17454d5e6738b46ec9622257d9dfc0bcad0d9420352752bf7d8f8e8ceaf6aca97d83896f753dc12cfeac3e5efb5e1ab05
-
Filesize
3.4MB
MD53f080df73b2d7cad61bddcf709aadc72
SHA1616e9ec760722737f38213f43755131f836dd627
SHA256dd213d0867714191e351f589dc709d6f3cafee819aafda8f8fe022d367ea189b
SHA512733b65d3662f2eb9a8f64212e306d934929a05fd753040073f7e2769df77791c29aef9e35610b7b22597bbea6d805a8e04f93235fe761bf6bd5c5733c867025b
-
Filesize
1.3MB
MD5549bbcd204914b543dafee670f110834
SHA1012461935191a55482e8c3d453d245e965a10a2a
SHA2568ea5af036ec067a0abcf87b8f5921e2281ff9d259e1d4c3bbe7fa9037cd87d02
SHA512b0346a2ec52ce47351286f27f347f5fea99e160aedde52bcf74e1629739704bd975c9c99d8db6be3b6bd45e7fa933616fa081eda49e9b911efcc031c7241400e
-
Filesize
73KB
MD51a0b7592ab9c12aff1191dfd225154ca
SHA13d3fb5f326f2caea866028558834ae684a2fe09f
SHA2563837e95826d2273a54e3869efcad1521e000215428a2c7ee9397b650834ebaf1
SHA512b2932400b6d8c72d344cb0592f121623dd848dcdd341248cf18cd55cd0c4fbd7f923057d022f89586ec6062299d756a37b3ff4308f10865de6ba68b2ee530fe9
-
Filesize
1.7MB
MD5b2a448112b7c886ccce9b6a3d5efd8a0
SHA1660bc9efe960015b208a421b1a63443e7151024f
SHA256928f6b847f94b920c462a08c43f0dfd3f7c40076b1cd60545523a5c27a4870ca
SHA512871da63f4eaf16d77ba6c19c10d8ddd8e94f744c20a70e24793f837023d20e56698d85f67498bc06ec37b73a8f376c220afbe7f3884b00536b710ff49c339b3f
-
Filesize
736KB
MD5c8dc1cfeaf0fefc39ed0f1de4eaa175c
SHA111cacbb9e5724d37789455de37a225d8e0c648a1
SHA256da2803a283d28882182e1e280b4f25ee1579a5805e73fcc9882e63968f102a8f
SHA5126b419ba94ae90f8caa3a57690f2ec7e249c9fb8ab86819439621cde1243c7636ee76820622ce32ed483ce76976f7ced74778898fc2725b1a2407b039fb53508c
-
Filesize
686B
MD55147cce789cd18ad6b2996eb89e5d866
SHA1756f1fffe96ef581f0d4d47253523544c89a2622
SHA256c471d622198461715f245d478484fc7c8de533313c56e922931a875460a5aa88
SHA51255f53adb70b1cf741cdf0dee74d92d2bf4c96954a760afae289972a0ea9bb27bc5eb4df1bd41829c7c484211fcb294fe296a4d560d8a1cdbb8c707b3bf2a79a6
-
Filesize
153B
MD51e9d8f133a442da6b0c74d49bc84a341
SHA1259edc45b4569427e8319895a444f4295d54348f
SHA2561a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA51263d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37
-
Filesize
205KB
MD5491bce42c6cd8af88a2e11f37711ed4f
SHA13de7c18fee44465a6afe34e068f2a64dea9fa324
SHA256ee43869ee94eefe241d661101ff6a03cc276f8e558967b1b350ea088f1dad2e2
SHA5121e5f99466b77b5a82c23449434272acf5746811ef96b98105f89b3339ccd86734d7713c94b773755219345d673a761a356fbe846a38e7893bd8894e43cf102e4
-
Filesize
3.2MB
MD5dfaa6429468d56ef77932cf26a495f75
SHA18a21a29225640f1829ae328a24ef9cb5e215a4e0
SHA2568c481a549acfa58b1bac0385906febe33a928d004a529fec505b6a9228678fed
SHA5126c19ed573b111315648de0646441486729b304452c15b2282938460a2339db0be4e1eb19cf6f2bf17f73037811ca2553a15957ea96b9d9af64a93045407c1148
-
Filesize
141KB
MD531b4d9c29d29567b0ae3037fac9fbdc6
SHA18b5d1b1a309177466d71a742414d441f600ea38e
SHA2569f031f2f1292bb311c400b0a93a11b78a08f013332b1263ea58617b6548862eb
SHA512b4a8a3a1e837f98a3164e19a6fe939819eb336892335de975822890b52b5923d85fee4c4e5464ccb0d46c847f37f7da98a839aadbf4d20fca355f396a53836c0
-
Filesize
2KB
MD58bff510abed2b6fcc5a83eedb65b1766
SHA1ba6d0cd7504a5baeb963501b8bdf315ec6cb355c
SHA256afb4850419612e0daf1876a5d61120ed0ccae241f188c25c014602007b3a765b
SHA5128786bd672ce9c53f4c31f8206d621eb06ae7527f9adf3700955cc1cb928dde145b684666a5eb4ac11301541f585970ccd377ba144da351741e3cb5769b6ff522
-
Filesize
489KB
MD547d6cfa1b01a6d41885504bbc3b1919a
SHA13838060f9d530c972d65f36fa38b265120a218aa
SHA25693defaaf7f82e2e9565b27dd31a41c89e02d1b7719d0da0b940a55dcc75b91e5
SHA512b0df9b174624234aaeb2b50cf611f698377925a0ae5c5ee9da46c65fcecf4d28941d1bf2332316d9327981c1f8c6c4fecf750e013f04eef63f5df52d27593135
-
Filesize
49.4MB
MD5bac77d8d145bd553c7efdf7978d9dff0
SHA131da52beb0237a6ffd6ebc4a766d92f12a226fb6
SHA256a85b24d93ceb6095691838dda51d31bc5e8dc94663514b46c48d7c41d351aad2
SHA5122aabc1986338a68cdecf6d46afd6492a90940d9412bf8f7ad7c6183091403a784244ecf1007dc3875a892c0b1c2557f5de31f387011ca8db657f4367f5fc86ba
-
Filesize
13.1MB
MD5b6d75e8c90c79af1579769f10b1e5c88
SHA1146cb3f05fa161885e8faf079fa2bbd89b5c5b18
SHA25682dc6806d9ec9eb16604f90a5c78d0d882b69a0e718d8f6c3c6b7c9719887b7e
SHA51202cdd0c0d6e71bc09120db2cd3b9471c0176567d92bb74a08c13e82c1d23722eb4afac41583a11dee3fc531fd442754ee0f5cb964898ec036ddd432947996037
-
Filesize
27B
MD57da9aa0de33b521b3399a4ffd4078bdb
SHA1f188a712f77103d544d4acf91d13dbc664c67034
SHA2560a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d
SHA5129d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6
-
Filesize
27B
MD5a2abe32f03e019dbd5c21e71cc0f0db9
SHA125b042eb931fff4e815adcc2ddce3636debf0ae1
SHA25627ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78
SHA512197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2
-
Filesize
27B
MD5715dc3fcec7a4b845347b628caf46c84
SHA11b194cdd0a0dc5560680c33f19fc2e7c09523cd1
SHA2563144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08
SHA51272ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662
-
Filesize
27B
MD511f8e73ad57571383afa5eaf6bc0456a
SHA165a736dddd8e9a3f1dd6fbe999b188910b5f7931
SHA2560e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e
SHA512578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2
-
Filesize
1KB
MD56037650eb5b22b2d2d6f1e0fd5dda47c
SHA1cd00b2f03ad3750065295fe3b2de74a319e4111f
SHA2563a2ce03af3ee36a42db31711269ed6138000854261eaaf34308430fc9483f429
SHA512be73beef9f97fa92f3ca6e1eed6c4fc86fcf030f947f66cc7e0ea5c25e4418ddc2ef8f33247d26d7eddc8615be23dfe906f26a7f74ca004e9ad045198f589fd7
-
Filesize
24.6MB
MD5003a488a2139105704566b47eb29520d
SHA152d672a592cd52ad5e2e7239421f2659e0d17afa
SHA256a84262dd486cf59049d0d2d9a1b00dfb5aa5271592edd8de0e052f12496dec67
SHA512ab34061f8e04bb1d59f1b35e0e1848a176f2b119095e79015130da3a4384c70fa35ecbe1625e07c0eb0de49c67bcdbba59f10fa1dfbbb2066dcb6ee6825215de
-
Filesize
898KB
MD5e24d9b483ce7a3a6a4406111883457f7
SHA10d5efff0d110c48f5e6f5d438967427f1e2dbf84
SHA256dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c
SHA512b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398
-
Filesize
146B
MD58eec510e57f5f732fd2cce73df7b73ef
SHA13c0af39ecb3753c5fee3b53d063c7286019eac3b
SHA25655f7d9e99b8e2d4e0e193b2f0275501e6d9c1ebd29cadbea6a0da48a8587e3e0
SHA51273bbf698482132b5fd60a0b58926fddec9055f8095a53bc52714e211e9340c3419736ceafd6b279667810114d306bfccdcfcddf51c0b67fe9e3c73c54583e574
-
Filesize
2KB
MD5206b2934ee1804a38fa353796b3b7807
SHA13568da1968d0df356298dbc41f22f22326cb513b
SHA256afd25943dafbb24589db0363f698780678ba91cd3287e08b2ae9139b14b05ff7
SHA512176e00035f2f67b9da8a7d51629c2bfdebc05f078ab0a01e2a356429f22bc9b26bc8ad9b4519253929173486c34c223b98a5bc18a38aa4ba746db58af283a5f2
-
Filesize
4KB
MD5076b134e834a9d908387cefac1ec1389
SHA1c44acb20eb9c4de62103bbe509849238a6477e3f
SHA25612a4db81fcc92449f778e98e4bac63e3c65d33ff75d502b8c1585c00883e92d6
SHA5129c70a974818edc56df606e698a3af0e9259c3b0e20182eb8ec9cfa342f7a62c3935478f2dcac534b04d2c021b2b165b51f1f41469ba8559f8c367898f3d636f2
-
Filesize
4KB
MD524c2e817b3fd783eb6a566518c0da84e
SHA10c2137da29ab51025d1364407ae037f897638c19
SHA25634a40235fdab01c17895e471632ff507fe5e1f6461f870a40a0415b3fe62ff36
SHA51261e62d1ee9eb882deca252195d71c8500d49de51c3fd5b4bc00d2c2af074b028c4d47054e0c8020a1e68247a55a1210f6351e7e30a41d825bc48c7c05143e775
-
Filesize
245B
MD5d8682d715a652f994dca50509fd09669
SHA1bb03cf242964028b5d9183812ed8b04de9d55c6e
SHA2564bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba
SHA512eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca
-
Filesize
28.1MB
MD5f2fd417b6d5c7ffc501c7632cc811c3e
SHA1305c1493fca53ab63ba1686c9afdfb65142e59d3
SHA256a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9
SHA512289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b
-
Filesize
22KB
MD5525bf7f5b63ffd5e86fa3aee92551c21
SHA1bf3cd939fe57f5076afbd231cb5b1b0ea03ba5d0
SHA256e0e88bda4bcbbcfadb1009060372744f8b3f3628ae29b1d310a99255ec76aa7a
SHA512825d048f8a3eb7ec88bda27eaf34b5c05a9545a12d48d29fc264aeae571fb2b4aa2957cd1b5459d53dc5d18b7968760d47136a6ec099c5612c3a7ab677b24d73
-
Filesize
23KB
MD518f48d6714640435ab93cad409e10070
SHA1fd33c178274fb08adb77cf5c695ce29ba32417bd
SHA256f7468e1cf9cb05006bb7eebf4ce106f98828351ac7d8637486794ba90e5f5bc2
SHA512632e4957e610ab787ed9a2cf3e8d988acb16e4cfc4d4df9b52682ca54fa4f7fed980b7b5dd69b1c4dd71554894ee5e5199da630b721f3c7403652f923a16dcc1
-
Filesize
23KB
MD5a2623660c345873243bb8f88145663b5
SHA1d8cabac7b4057649bb6ca31504719fb0881c7190
SHA2563532daff57c2b70280ef79edf17af55d108b2d46b88bdbf248fab74db2a43d14
SHA51260dc96479ae28a9011dee7a2e8ff2cb60ab548a6164ba8f5562fcd1cb154362677a68c98c62aa62333ac9812d4ddb3e332957efdbc5acfb5eade18f111c21f6e
-
Filesize
24KB
MD5e2aaff5f40ba3fbc2df129ed2157dd19
SHA18d6b9aeeae45922687e24365cecffdc0e4997f08
SHA2561e1a1fcf7c15b8f6019b1696765c696e69a510bb25fd29daa4f8286b206e738a
SHA512e1e5a42c4b5bac65b4747b149a694d738fe7e4e7c5398ef564885796e4d9d3cf5ae4ef1cd2066dd6ba24463654c090d79ac84e0f1ad76575155deab8088e6843
-
Filesize
25KB
MD5250dd63c170bf6cc59e2a7a34edb348b
SHA1da811a6038e340332de88fe1c2a574ee1bb8a8a8
SHA256f46f4d796f236751d277dc24184765679d409c0e454ae07587ca09e0710a0f1f
SHA512ffc14529043f3231ace3beda1cb14de9ef37d24221d462138eb8fe9cb255eacba42bb864e41a575b7c14773ae577f6e44afcd408f2415678f1019895e3c376c4
-
Filesize
26KB
MD56395ef19c45e81bddd74837a1394acb5
SHA192a97d8fa5c76891d0df4b4d9812370ee85859b9
SHA256a0da062ab80c0dc8d84f51bd76faf53001cd4b48bcbc0ddae6d75e210ea92ccb
SHA5125bb7439566d386aa46774e71378284fff75855f2b5971345d54e5142a23a9488a49b1de2a9533d37cb3f33c8d50cc64727daac7c96ca6dd3779144379a068fdb
-
Filesize
26KB
MD5cc147c8509b89de26462cd73e51d3df4
SHA1b37e85f40a18c1832530a760b309799378f7f6a9
SHA2562f0f162f348b4020566418fd30c090fac83883284dde7c163b923f68d0886c69
SHA512b8ef88fc7c91371605dc12a6fae41fa576836ad7eecbf728cd78ab5de9b235c221d5f43d2e9f9adc234f6ae5c3e823dd1b213aaa0340aa8d341015ad393a3e93
-
Filesize
3KB
MD5a571a80e3e7f07d8d5318528ffcf057f
SHA1e3ec23f4b500ff697f327a186c6b7a1d0203d242
SHA2569bf99654183263090ac650e9f691e074a0de278848a0b618df2c074d9fac23e7
SHA51270db57b8e9aafeaf7fb4e7c7bc4a7b91297b3e5ed7dbe683c63c8191bd98c0a92457d92ee4ee379eca4935c85362cbbfb1bc9fa4a00cc010afec40752d641be4
-
Filesize
163KB
MD505219acfa2729848565287caabce88e1
SHA1b720eaf19849379e4ca80cf27263174e72b1b811
SHA25641a406c9c336df63d0ff8d492a290569b23c5fd16e3bdd7d8657c009a6219ca7
SHA5124c6ee3d750ecb918c34eff87cdce1d3333c65611eb9c0c818563b0069450720f14f1e87cacc47a4235dcd34c8da5385014e3d4b6dc4c384d7c4449fb4be6280b
-
Filesize
163KB
MD5c2998b80fa5c84a52e33c3e5edfdfe20
SHA1743a15a9246eacdaaf26de457cfc07c057ad18b2
SHA256a777bcc894dc5a3414d7f18f050958881cc867380c5c862b54d75c73da24c92d
SHA5124f3c21751f39c87f54ab6f29ab4ebcd69e58028bdc8d9cf313065062f653a69552bda083cf0d21b674b90f6f248264d48da5f6f521cef2e7afc7a3f16a7a2a08
-
Filesize
163KB
MD51c340bd295c0fcd6d2da487883b68f50
SHA1acd1eff7b585f66fde885c6d1a03bac0402beb59
SHA2566905046869471a84fbbaf56e7ee455d5dfb78b9a3b66cc26bd37da41e7eaa9d8
SHA5124af6fa159e1a411a2dc2f5350a2c1c318cd330709da8c7d198eafed84d88bb50d30947d470a6291e068652fc52bb40fd686e2e9290f287deaa7124ff51cd426b
-
Filesize
348B
MD50e643d8a669bdea52bd5e3b7889483bb
SHA1dfb1041773993baef4bfba15a9096060b258f069
SHA256c4e36154f5b170f32150568a69d668ba4bb6067d781b8b076e2996400bd37316
SHA512633dc74ce51fbb71d073d540365162ca9665260a86a89fcdd574327c68bd320c8fce28368c4818a52260bf2b8abcabfab58446eac466ce1adf88ed1386e59b66
-
Filesize
1KB
MD576ac0621e3db213ac56418d0600ae68d
SHA1d118c9d763de7a0d45beecbc8659c4502b114c75
SHA256fff6b89cce95b25d7fb821967a0f728197defbd7e99c56da971160ae459530ca
SHA5127e94e52fca3a493922152953b3e7a4eb32c5c6143ecbcda7d436a69c1f23f971b24365f15679ddeec21d0975b7285aab0f2492a1d5eb33a60103c7d9a9ec8c89
-
Filesize
2KB
MD5fb73f921310125aaec7d19c28fe7f238
SHA17da11f1fc22f3bd1fadde4a14fcf3e3f654e98c4
SHA256ae8507c9f212d5298632ee10cb8774e7fed92f9745df1229cfe36b60b6fdb23b
SHA51279848272268c529135f63a245e416164de3c6044c3d69ae0e77510df67f5a9b55f5713fb85c00b39ed4a220bd2c5b745e470db6b6620685a037c2eb4719bf418
-
Filesize
3KB
MD573fc8dcab1e439653c12a096cea89723
SHA15b5e0d5f75592a827d770926b76d77e1a6358146
SHA2567b65b61aa15c872275456f2d3dd13bc49e2f345cf443d3a6fa416c5d84cb91cd
SHA5124d2541c46ae22cdb3087ab0edac3adc7977f159cb59035912266fc9032da8919505bb6f5c17a84b69c16b19cbe51ced43edcf793e957139a6a27db166fea872e
-
Filesize
3KB
MD5e851451159c4b69428869c6ab10add47
SHA1f473f2abb06e24bc1838f29310e658da63276d8f
SHA256fbfcad753e092e54e5dc4ab56df720c622fb684a99c953346ee38af00cbeba68
SHA512081119d5a7ebcdc924362476532413cc68c50154296e84f77397095bca927145b8da71182a333b3e5307664e7d538a60b83527bddd6cbfe5f2739491000aa127
-
Filesize
4KB
MD587bcd8594239c95b25464b2dff769628
SHA17dd74244ee4131629115f7f85d14b5fbb0be0670
SHA2560e3a9ece25d0d4f9b93a78484f8badd387b70eeeb40acb12f01640bcb7b47988
SHA512bc16a6af32c21985e640ca69fd1f5a573b4af3944bc2a6906c9e40ce3911ac41894157f82674b3f5b2292ab25a527841458acb62717605eea19f01fcffae0cf9
-
Filesize
28KB
MD5cadd1d3521af856893bde2a1db1804b1
SHA1a0a9f1a3b729af16555972302e75035776c111b7
SHA256ce03e50d68c97ce903cce1d337b8b45d5df43cbf5fdb15fec4b19ea55242ad76
SHA512503a432c79ba9970f38cc5aa8e5f99e9b11ddd862badfd22050db0d65780b87688d286dfab3164dfeb86d5a03f8260c251a021b4e76ae47060fb3853e6dab6e4
-
Filesize
202KB
MD59f84d910602183954bed6d9660600783
SHA182e3b122dc63e0a333bca531dd16667d5fafbf23
SHA256bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e
SHA51209fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9
-
Filesize
2KB
MD565f42fae54bbe1ee91e227d64d421d86
SHA1f77dda617fe6e09ae1bda3fbffc1b080bd74359a
SHA2563ea89a9302610f08cf3ad320545692bcd44d8f99ccca943ddcd9165feb96454d
SHA51231e9019c756a63c131b78ba8d1ddbfac36d803da755654c388aeafd9a62067df2734495b3baecc7e133ffab6c6c9c5ce000768467a095e90c56de38f97431b26
-
Filesize
2KB
MD58b3faac5c1f5427370c9236914fdd14d
SHA1ac82a791802867aec1a6a08e376924ea07ff2983
SHA256a0e04a5f53450224ce0f6aac093caf688649ad2001f192e6220a9fdbbb57d173
SHA512ba487732dc39fd41fe5cce9296b855aa023855ba97126537822eaf6bf4953ab4982de4780edad0f742826ce4f1f915f2f36df9ee4ef476147defebc487622a9d
-
Filesize
3KB
MD5f777cac2cae7250f67ef22809612da4b
SHA153e8824fb4cf4844e160f8c600cffad0a1fe026c
SHA2562e32e0a92e4429f8c1a575343d1fda4129eb8a1554161333980150c64c44f154
SHA512ea2c235933c21490bb3d6caeeaed50b5a048a716bb0c7bc3bfd4c5e683461506680a8d3e447d99a4e1c7d63026ba3f89aee8ca8f314eee321161c2f31521580c