833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa

Analysis

max time kernel
82s
max time network
59s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
15-02-2023 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

plants-vs-zombies_vhQfH-1.exe
Size

1.7MB
MD5

99a9fbd5fee72ce51585309390a46717
SHA1

ff39c56312090a909c2c0c82629c552a3b252a98
SHA256

833064195b0c96bce9a8c00dc95df6bd9fce1092c1260ba0e877810bfc44b0aa
SHA512

97f9a98fb48c8281818163d3dbe66fa246e1fe6a5a67f15175419992b0ca389cbe086e457177c21ce9c99ff05a1e0b508812cdf30220090a438dd8c94f73c6b7
SSDEEP

24576:R4nXubIQGyxbPV0db26Wmd0l4sv1Et9uGpckT52zedlq89Ws5uIzk5aM/phdO7:Rqe3f61mZSffPMWrQ0ZkA

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

plants-vs-zombies_vhQfH-1.tmpfile_vhQfH-1.exefile_vhQfH-1.tmpplants-vs-zombies.exevcredist_x86.exeinstall.exe

pid process

1792 plants-vs-zombies_vhQfH-1.tmp
364 file_vhQfH-1.exe
788 file_vhQfH-1.tmp
1008 plants-vs-zombies.exe
840 vcredist_x86.exe
1620 install.exe

pid	process
1792	plants-vs-zombies_vhQfH-1.tmp
364	file_vhQfH-1.exe
788	file_vhQfH-1.tmp
1008	plants-vs-zombies.exe
840	vcredist_x86.exe
1620	install.exe

Loads dropped DLL 9 IoCs

Processes:

plants-vs-zombies_vhQfH-1.exeplants-vs-zombies_vhQfH-1.tmpfile_vhQfH-1.exefile_vhQfH-1.tmpplants-vs-zombies.exevcredist_x86.exeinstall.exe

pid	process
1536	plants-vs-zombies_vhQfH-1.exe
1792	plants-vs-zombies_vhQfH-1.tmp
364	file_vhQfH-1.exe
788	file_vhQfH-1.tmp
788	file_vhQfH-1.tmp
788	file_vhQfH-1.tmp
1008	plants-vs-zombies.exe
840	vcredist_x86.exe
1620	install.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 3 IoCs

Processes:

plants-vs-zombies.exe

description	ioc	process
File created	C:\Program Files (x86)\PopCap Games\Plants vs. Zombies\Install.log	plants-vs-zombies.exe
File created	C:\Program Files (x86)\PopCap Games\Plants vs. Zombies\Install_props.xml	plants-vs-zombies.exe
File opened for modification	C:\Program Files (x86)\PopCap Games\Plants vs. Zombies\Install_props.xml	plants-vs-zombies.exe

Drops file in Windows directory 61 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\WinSxS\InstallTemp\20230215194016883.0\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016820.0\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016758.0\mfcm90u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016664.0\9.0.21022.8.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016727.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016758.0\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943.manifest	msiexec.exe
File created	\??\c:\Windows\Installer\6d1a97.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20230215194016820.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016867.1\9.0.30729.1.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20230215194016727.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20230215194016664.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20230215194016898.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20230215194016867.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016727.0\msvcm90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016727.0\msvcr90.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\6d1a93.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1DC1.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016493.0\atl90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016758.0\mfc90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016820.0\mfc90esn.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016820.0\mfc90esp.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016758.0\mfc90u.dll	msiexec.exe
File created	\??\c:\Windows\Installer\6d1a95.ipi	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729\FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729\FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20230215194016493.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016820.0\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03.cat	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20230215194016867.1	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016555.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016820.0\mfc90deu.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016820.0\mfc90rus.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016758.0\mfcm90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016555.0\vcomp90.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\6d1a95.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016493.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016898.0\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016820.0\mfc90chs.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016820.0\mfc90cht.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20230215194016758.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016867.0\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016867.1\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016820.0\mfc90jpn.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20230215194016883.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016727.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016493.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016820.0\mfc90enu.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016820.0\mfc90ita.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016867.0\9.0.30729.1.policy	msiexec.exe
File created	\??\c:\Windows\Installer\6d1a93.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016555.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016820.0\mfc90fra.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016820.0\mfc90kor.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20230215194016555.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016758.0\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016727.0\msvcp90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016664.0\9.0.21022.8.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016883.0\9.0.30729.1.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230215194016898.0\9.0.30729.1.policy	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file_vhQfH-1.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file_vhQfH-1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	file_vhQfH-1.tmp

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{84206141-AD68-11ED-9AF1-EE38AA991E65} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{84206143-AD68-11ED-9AF1-EE38AA991E65}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF	msiexec.exe

Modifies registry class 52 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.ATL,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f00410054004c005f007800380036003e006500720069002d002e003800540052004600340074006d00310053006a006d00350059005d00380000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.CRT,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004300520054005f007800380036003e006b0027005600490037006f00520050007e00370055003d006f0029006d00730026002c003300420000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_ATL_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_CRT_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\PackageName = "vc_red.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\LastUsedSource = "n;1;c:\\61b9208d08f709254f40\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.ATL,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f00410054004c005f007800380036003e007900590067002500610066004a005700640037003800700038006d007200570035002b004d00660000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.MFC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004d00460043005f007800380036003e0049004000790043006a0027006200720045003400710030004c0044006f0059004c007e006600580000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.OpenMP,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800380036003e004d0039002c004f005500350063004d0078003400660069003f00660040007b00300021004400480000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Net\1 = "c:\\61b9208d08f709254f40\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004d00460043005f007800380036003e004d0072004e0075004700740065007d0054003400240066006f0062004f005000340040004d004d0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.MFCLOC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800380036003e0040006500650034004900600034006b0069003500590047006500590051006300340025007700780000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.OpenMP,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800380036003e004d004f00700050006d00360078002b0044003400700061006d006600580031006f00390032007a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\VC_Redist_12222_x86_enu	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\Version = "151025673"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_OpenMP_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.CRT,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004300520054005f007800380036003e00390032002c002b004b006e00240039002e0037006d0024006f0066007000790021004b007400620000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\VC_RED_enu_x86_net_SETUP	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media\1 = ";1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_MFCLOC_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFCLOC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800380036003e0063002e00410078003f007d0058003200710034003900530045006800470072004b0038007400360000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_MFC_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\PackageCode = "6C7E9C94F9A4F6E4EA39E910D4A1AC39"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\AuthorizedLUAApp = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\Language = "1033"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global	msiexec.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file_vhQfH-1.tmpplants-vs-zombies_vhQfH-1.tmp

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	file_vhQfH-1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	file_vhQfH-1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	plants-vs-zombies_vhQfH-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	plants-vs-zombies_vhQfH-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	plants-vs-zombies_vhQfH-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	plants-vs-zombies_vhQfH-1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	file_vhQfH-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	file_vhQfH-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	file_vhQfH-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	file_vhQfH-1.tmp

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

plants-vs-zombies.exemsiexec.exe

pid process

1008 plants-vs-zombies.exe
1008 plants-vs-zombies.exe
1740 msiexec.exe
1740 msiexec.exe

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1008	plants-vs-zombies.exe
1008	plants-vs-zombies.exe
1740	msiexec.exe
1740	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

install.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1620	install.exe
Token: SeIncreaseQuotaPrivilege	1620	install.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeSecurityPrivilege	1740	msiexec.exe
Token: SeCreateTokenPrivilege	1620	install.exe
Token: SeAssignPrimaryTokenPrivilege	1620	install.exe
Token: SeLockMemoryPrivilege	1620	install.exe
Token: SeIncreaseQuotaPrivilege	1620	install.exe
Token: SeMachineAccountPrivilege	1620	install.exe
Token: SeTcbPrivilege	1620	install.exe
Token: SeSecurityPrivilege	1620	install.exe
Token: SeTakeOwnershipPrivilege	1620	install.exe
Token: SeLoadDriverPrivilege	1620	install.exe
Token: SeSystemProfilePrivilege	1620	install.exe
Token: SeSystemtimePrivilege	1620	install.exe
Token: SeProfSingleProcessPrivilege	1620	install.exe
Token: SeIncBasePriorityPrivilege	1620	install.exe
Token: SeCreatePagefilePrivilege	1620	install.exe
Token: SeCreatePermanentPrivilege	1620	install.exe
Token: SeBackupPrivilege	1620	install.exe
Token: SeRestorePrivilege	1620	install.exe
Token: SeShutdownPrivilege	1620	install.exe
Token: SeDebugPrivilege	1620	install.exe
Token: SeAuditPrivilege	1620	install.exe
Token: SeSystemEnvironmentPrivilege	1620	install.exe
Token: SeChangeNotifyPrivilege	1620	install.exe
Token: SeRemoteShutdownPrivilege	1620	install.exe
Token: SeUndockPrivilege	1620	install.exe
Token: SeSyncAgentPrivilege	1620	install.exe
Token: SeEnableDelegationPrivilege	1620	install.exe
Token: SeManageVolumePrivilege	1620	install.exe
Token: SeImpersonatePrivilege	1620	install.exe
Token: SeCreateGlobalPrivilege	1620	install.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

plants-vs-zombies_vhQfH-1.tmpfile_vhQfH-1.tmpiexplore.exeplants-vs-zombies.exe

pid process

1792 plants-vs-zombies_vhQfH-1.tmp
788 file_vhQfH-1.tmp
1808 iexplore.exe
1008 plants-vs-zombies.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1808 iexplore.exe
1808 iexplore.exe
1108 IEXPLORE.EXE
1108 IEXPLORE.EXE

pid	process
1792	plants-vs-zombies_vhQfH-1.tmp
788	file_vhQfH-1.tmp
1808	iexplore.exe
1008	plants-vs-zombies.exe

pid	process
1808	iexplore.exe
1808	iexplore.exe
1108	IEXPLORE.EXE
1108	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

plants-vs-zombies_vhQfH-1.exeplants-vs-zombies_vhQfH-1.tmpfile_vhQfH-1.exefile_vhQfH-1.tmpiexplore.exeplants-vs-zombies.exevcredist_x86.exe

description	pid	process	target process
PID 1536 wrote to memory of 1792	1536	plants-vs-zombies_vhQfH-1.exe	plants-vs-zombies_vhQfH-1.tmp
PID 1536 wrote to memory of 1792	1536	plants-vs-zombies_vhQfH-1.exe	plants-vs-zombies_vhQfH-1.tmp
PID 1536 wrote to memory of 1792	1536	plants-vs-zombies_vhQfH-1.exe	plants-vs-zombies_vhQfH-1.tmp
PID 1536 wrote to memory of 1792	1536	plants-vs-zombies_vhQfH-1.exe	plants-vs-zombies_vhQfH-1.tmp
PID 1536 wrote to memory of 1792	1536	plants-vs-zombies_vhQfH-1.exe	plants-vs-zombies_vhQfH-1.tmp
PID 1536 wrote to memory of 1792	1536	plants-vs-zombies_vhQfH-1.exe	plants-vs-zombies_vhQfH-1.tmp
PID 1536 wrote to memory of 1792	1536	plants-vs-zombies_vhQfH-1.exe	plants-vs-zombies_vhQfH-1.tmp
PID 1792 wrote to memory of 364	1792	plants-vs-zombies_vhQfH-1.tmp	file_vhQfH-1.exe
PID 1792 wrote to memory of 364	1792	plants-vs-zombies_vhQfH-1.tmp	file_vhQfH-1.exe
PID 1792 wrote to memory of 364	1792	plants-vs-zombies_vhQfH-1.tmp	file_vhQfH-1.exe
PID 1792 wrote to memory of 364	1792	plants-vs-zombies_vhQfH-1.tmp	file_vhQfH-1.exe
PID 364 wrote to memory of 788	364	file_vhQfH-1.exe	file_vhQfH-1.tmp
PID 364 wrote to memory of 788	364	file_vhQfH-1.exe	file_vhQfH-1.tmp
PID 364 wrote to memory of 788	364	file_vhQfH-1.exe	file_vhQfH-1.tmp
PID 364 wrote to memory of 788	364	file_vhQfH-1.exe	file_vhQfH-1.tmp
PID 364 wrote to memory of 788	364	file_vhQfH-1.exe	file_vhQfH-1.tmp
PID 364 wrote to memory of 788	364	file_vhQfH-1.exe	file_vhQfH-1.tmp
PID 364 wrote to memory of 788	364	file_vhQfH-1.exe	file_vhQfH-1.tmp
PID 788 wrote to memory of 1008	788	file_vhQfH-1.tmp	plants-vs-zombies.exe
PID 788 wrote to memory of 1008	788	file_vhQfH-1.tmp	plants-vs-zombies.exe
PID 788 wrote to memory of 1008	788	file_vhQfH-1.tmp	plants-vs-zombies.exe
PID 788 wrote to memory of 1008	788	file_vhQfH-1.tmp	plants-vs-zombies.exe
PID 788 wrote to memory of 1808	788	file_vhQfH-1.tmp	iexplore.exe
PID 788 wrote to memory of 1808	788	file_vhQfH-1.tmp	iexplore.exe
PID 788 wrote to memory of 1808	788	file_vhQfH-1.tmp	iexplore.exe
PID 788 wrote to memory of 1808	788	file_vhQfH-1.tmp	iexplore.exe
PID 1808 wrote to memory of 1108	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1108	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1108	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1108	1808	iexplore.exe	IEXPLORE.EXE
PID 1008 wrote to memory of 840	1008	plants-vs-zombies.exe	vcredist_x86.exe
PID 1008 wrote to memory of 840	1008	plants-vs-zombies.exe	vcredist_x86.exe
PID 1008 wrote to memory of 840	1008	plants-vs-zombies.exe	vcredist_x86.exe
PID 1008 wrote to memory of 840	1008	plants-vs-zombies.exe	vcredist_x86.exe
PID 1008 wrote to memory of 840	1008	plants-vs-zombies.exe	vcredist_x86.exe
PID 1008 wrote to memory of 840	1008	plants-vs-zombies.exe	vcredist_x86.exe
PID 1008 wrote to memory of 840	1008	plants-vs-zombies.exe	vcredist_x86.exe
PID 840 wrote to memory of 1620	840	vcredist_x86.exe	install.exe
PID 840 wrote to memory of 1620	840	vcredist_x86.exe	install.exe
PID 840 wrote to memory of 1620	840	vcredist_x86.exe	install.exe
PID 840 wrote to memory of 1620	840	vcredist_x86.exe	install.exe
PID 840 wrote to memory of 1620	840	vcredist_x86.exe	install.exe
PID 840 wrote to memory of 1620	840	vcredist_x86.exe	install.exe
PID 840 wrote to memory of 1620	840	vcredist_x86.exe	install.exe

C:\Users\Admin\AppData\Local\Temp\plants-vs-zombies_vhQfH-1.exe
"C:\Users\Admin\AppData\Local\Temp\plants-vs-zombies_vhQfH-1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\is-R6459.tmp\plants-vs-zombies_vhQfH-1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R6459.tmp\plants-vs-zombies_vhQfH-1.tmp" /SL5="$C0158,831488,831488,C:\Users\Admin\AppData\Local\Temp\plants-vs-zombies_vhQfH-1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\is-PF2QP.tmp\file_vhQfH-1.exe
"C:\Users\Admin\AppData\Local\Temp\is-PF2QP.tmp\file_vhQfH-1.exe" /LANG=es /NA=Rh85hR64
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Local\Temp\is-CTP80.tmp\file_vhQfH-1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CTP80.tmp\file_vhQfH-1.tmp" /SL5="$201B6,1559708,780800,C:\Users\Admin\AppData\Local\Temp\is-PF2QP.tmp\file_vhQfH-1.exe" /LANG=es /NA=Rh85hR64
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\Downloads\plants-vs-zombies.exe
"C:\Users\Admin\Downloads\plants-vs-zombies.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\popcfg2\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\popcfg2\vcredist_x86.exe" /q
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840

\??\c:\61b9208d08f709254f40\install.exe
c:\61b9208d08f709254f40\.\install.exe /q
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://es.download.it/?typ=1
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1108

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\61b9208d08f709254f40\install.exe
Filesize
549KB

MD5
33c9213ff5849ef7346799cae4d8ac80

SHA1
5421169811570171e9d2d0a1cdca9665273e7b59

SHA256
3377e31d233ff41aea253e6221815820997763acdf40b005f8791400366cb8ff

SHA512
da0fc3f57156e06c0c37c1fb5176e1b147ce4aa21f519112123722496b04ad4bc3d366e2b51fd78de1ba0304d35bfd5e5fc95cabc2b3eb174f77636a8fa162a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b8acd166fc2f60d74abc9beb5ddaf566

SHA1
b851165407e2a11e5c2983c2dd9ca725c848a5ee

SHA256
4f709068d65344cfea3d29ee20fc07a99b39ae0a2330d5041aa4f1e52ac19ea3

SHA512
9700e66d7d2524b1e97b8b026a7c55f566cf155fab2d16e8ad29e6d316b97381af851e6d968efd6a60d90f863cd3518733638d6d415a76bfcda885c75ed41faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI75D4.txt
Filesize
1KB

MD5
66fb6e4c850b500e1873a061d8b27bda

SHA1
1084ed76cba6922b4e839e2b69737f349c91ae9b

SHA256
11fc760a79008903a4ba0d39610c7228cf90350c34a77fb6832d52ddb3576954

SHA512
ebdc59a8e75e890a1629cc09fc23b1d1c3191dd93152a8b2f696e789d329affad221147370c66ab9071c625f8b48b29960a1da10297a958f8bf09c2b56733bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CTP80.tmp\file_vhQfH-1.tmp
Filesize
2.9MB

MD5
623a3abd7b318e1f410b1e12a42c7b71

SHA1
88e34041850ec4019dae469adc608e867b936d21

SHA256
fe1a4555d18617532248d2eaa8d3fcc2c74182f994a964a62cf418295e8554d3

SHA512
9afea88e4617e0f11416c2a2c416a6aa2d5d1f702d98d2cc223b399736191a6d002d1b717020ca6aae09e835c6356b7ddafad71e101dacab15967d89a105e391

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PF2QP.tmp\file_vhQfH-1.exe
Filesize
2.3MB

MD5
e0be768de74770fb20362306c1bb7370

SHA1
9d02a4e01268ae34edb058be6034cb32c897aaf3

SHA256
d7bea1932045300bc2be5237800010e3aa48df417feab60eab39fe5a166e0242

SHA512
37aa68b761aad730d0f7e5475e8ecf3e9a011c67dd5fdff018d9dfc772cc55d548264ca72b97010e41e5861c8cd8f598264859f7bf91484e3ef16852a415a42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PF2QP.tmp\file_vhQfH-1.exe
Filesize
2.3MB

MD5
e0be768de74770fb20362306c1bb7370

SHA1
9d02a4e01268ae34edb058be6034cb32c897aaf3

SHA256
d7bea1932045300bc2be5237800010e3aa48df417feab60eab39fe5a166e0242

SHA512
37aa68b761aad730d0f7e5475e8ecf3e9a011c67dd5fdff018d9dfc772cc55d548264ca72b97010e41e5861c8cd8f598264859f7bf91484e3ef16852a415a42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R6459.tmp\plants-vs-zombies_vhQfH-1.tmp
Filesize
3.0MB

MD5
0c229cd26910820581b5809c62fe5619

SHA1
28c0630385b21f29e3e2bcc34865e5d15726eaa0

SHA256
abfa49a915d2e0a82561ca440365e6a2d59f228533b56a8f78addf000a1081b3

SHA512
b8ff3dc65f7c0e03721572af738ec4886ba895dc70c1a41a3ce8c8abe0946d167cec71913017fd11d5892452db761ea88901a5a09a681ae779dd531edbb83a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popcfg2\vcredist_x86.exe
Filesize
4.0MB

MD5
5689d43c3b201dd3810fa3bba4a6476a

SHA1
6939100e397cef26ec22e95e53fcd9fc979b7bc9

SHA256
41f45a46ee56626ff2699d525bb56a3bb4718c5ca5f4fb5b3b38add64584026b

SHA512
4875134c664503242ec60717232f2917edca20286fc4b675223edbbe5dc0239ebfaf8f67edd76fedcaa2be5419490dc6f47930ca260e6c9988ccf242416c204b

Download Submit
C:\Users\Admin\AppData\Local\Temp\popcfg2\vcredist_x86.exe
Filesize
4.0MB

MD5
5689d43c3b201dd3810fa3bba4a6476a

SHA1
6939100e397cef26ec22e95e53fcd9fc979b7bc9

SHA256
41f45a46ee56626ff2699d525bb56a3bb4718c5ca5f4fb5b3b38add64584026b

SHA512
4875134c664503242ec60717232f2917edca20286fc4b675223edbbe5dc0239ebfaf8f67edd76fedcaa2be5419490dc6f47930ca260e6c9988ccf242416c204b

Download Submit
C:\Users\Admin\Downloads\plants-vs-zombies.exe
Filesize
40.7MB

MD5
de23cdebf6842a725646c5bfa31ad38c

SHA1
f65a99a478d44d2f0a660fc7b8cb6110ca2363f5

SHA256
ee276706679fa28fd0310cca7bcd35ff8d4fdeb9335affdd9555bf491ee39995

SHA512
bb6ec6f09b36c9fcf422b9871e16b4fc217f6adae1cd785a48dada3f04bafb2d9f3de6bf9acbe259f1146ae6a59ade62c5833eeb0b9c526c02fa0c876603dab6

Download Submit
C:\Users\Admin\Downloads\plants-vs-zombies.exe
Filesize
40.7MB

MD5
de23cdebf6842a725646c5bfa31ad38c

SHA1
f65a99a478d44d2f0a660fc7b8cb6110ca2363f5

SHA256
ee276706679fa28fd0310cca7bcd35ff8d4fdeb9335affdd9555bf491ee39995

SHA512
bb6ec6f09b36c9fcf422b9871e16b4fc217f6adae1cd785a48dada3f04bafb2d9f3de6bf9acbe259f1146ae6a59ade62c5833eeb0b9c526c02fa0c876603dab6

Download Submit
\61b9208d08f709254f40\install.exe
Filesize
549KB

MD5
33c9213ff5849ef7346799cae4d8ac80

SHA1
5421169811570171e9d2d0a1cdca9665273e7b59

SHA256
3377e31d233ff41aea253e6221815820997763acdf40b005f8791400366cb8ff

SHA512
da0fc3f57156e06c0c37c1fb5176e1b147ce4aa21f519112123722496b04ad4bc3d366e2b51fd78de1ba0304d35bfd5e5fc95cabc2b3eb174f77636a8fa162a1

Download Submit
\61b9208d08f709254f40\install.res.1033.dll
Filesize
89KB

MD5
8e97ea8a1ed69806232e8743f9a28706

SHA1
e911d3802e64f9be0e1ac68865bbcc92624d6a1f

SHA256
2893b1b9751f833d4a3ded7c1fba1a96cada2927a2349c5d751365eed647c100

SHA512
aa57fe0b822145aa1d8eb72f9735ef5d92036f24c4c80392799d701447d18ea510331f5653b39c43dc923cd0f1a61bf87be0f8a4927f6e3754d19ac76fd443c3

Download Submit
\??\c:\61b9208d08f709254f40\globdata.ini
Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\61b9208d08f709254f40\install.ini
Filesize
844B

MD5
5feaa6a36fea7dfdb88c18d69ba6d6a9

SHA1
7afd91a7b046d68b6ee9fd367bcd7a4fec546216

SHA256
67a50ffbb8a1d500eaa4d9f0227d6a8595a2750154e6b31662fc4f51286e47fc

SHA512
6c8c0456f232a02a49d51b3f1a830a18b9078e621cd0dc3f4f76f79b83035e8affac67bce3af9a37fa9096a34a8499c59cf982b63a4b2400b9190d2db293e682

Download Submit
\??\c:\61b9208d08f709254f40\install.res.1033.dll
Filesize
89KB

MD5
8e97ea8a1ed69806232e8743f9a28706

SHA1
e911d3802e64f9be0e1ac68865bbcc92624d6a1f

SHA256
2893b1b9751f833d4a3ded7c1fba1a96cada2927a2349c5d751365eed647c100

SHA512
aa57fe0b822145aa1d8eb72f9735ef5d92036f24c4c80392799d701447d18ea510331f5653b39c43dc923cd0f1a61bf87be0f8a4927f6e3754d19ac76fd443c3

Download Submit
\??\c:\61b9208d08f709254f40\vc_red.cab
Filesize
3.7MB

MD5
ecca3c1acb74cb73c600eabdd3f9c9d9

SHA1
f015759f623c377494a5996670204f1fcd0895e3

SHA256
43b7648183347374236296f2176c7c7da920da9c1a08adda761e12614efb299e

SHA512
2785b8e8cfc310ec114cee696c5b85900fc71186dcbf0c99a9c13f4f0fdcc9e9dd583c9d1fd82492a680efcd7071c3593b02b628bd947bc19b1302b931aca807

Download Submit
\??\c:\61b9208d08f709254f40\vc_red.msi
Filesize
227KB

MD5
6e17361f8e53b47656bcf0ed90ade095

SHA1
bce290a700e31579356f7122fb38ce3be452628a

SHA256
8811e5fe167223d906701bc8deb789de0a731e888e285834bcae164b03d43c96

SHA512
a566fc8bbb4d354db32f13de2fde73a1210c61b1c30a1be22b16c7e98b8d51c673259c57a924b04035cb9f0bf4a087a3e8b32221e7ff87032cddc840ffe3ed2f

Download Submit
\Users\Admin\AppData\Local\Temp\is-360CF.tmp\Helper.dll
Filesize
2.0MB

MD5
4eb0347e66fa465f602e52c03e5c0b4b

SHA1
fdfedb72614d10766565b7f12ab87f1fdca3ea81

SHA256
c73e53cbb7b98feafe27cc7de8fdad51df438e2235e91891461c5123888f73cc

SHA512
4c909a451059628119f92b2f0c8bcd67b31f63b57d5339b6ce8fd930be5c9baf261339fdd9da820321be497df8889ce7594b7bfaadbaa43c694156651bf6c1fd

Download Submit
\Users\Admin\AppData\Local\Temp\is-360CF.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-CTP80.tmp\file_vhQfH-1.tmp
Filesize
2.9MB

MD5
623a3abd7b318e1f410b1e12a42c7b71

SHA1
88e34041850ec4019dae469adc608e867b936d21

SHA256
fe1a4555d18617532248d2eaa8d3fcc2c74182f994a964a62cf418295e8554d3

SHA512
9afea88e4617e0f11416c2a2c416a6aa2d5d1f702d98d2cc223b399736191a6d002d1b717020ca6aae09e835c6356b7ddafad71e101dacab15967d89a105e391

Download Submit
\Users\Admin\AppData\Local\Temp\is-PF2QP.tmp\file_vhQfH-1.exe
Filesize
2.3MB

MD5
e0be768de74770fb20362306c1bb7370

SHA1
9d02a4e01268ae34edb058be6034cb32c897aaf3

SHA256
d7bea1932045300bc2be5237800010e3aa48df417feab60eab39fe5a166e0242

SHA512
37aa68b761aad730d0f7e5475e8ecf3e9a011c67dd5fdff018d9dfc772cc55d548264ca72b97010e41e5861c8cd8f598264859f7bf91484e3ef16852a415a42b

Download Submit
\Users\Admin\AppData\Local\Temp\is-R6459.tmp\plants-vs-zombies_vhQfH-1.tmp
Filesize
3.0MB

MD5
0c229cd26910820581b5809c62fe5619

SHA1
28c0630385b21f29e3e2bcc34865e5d15726eaa0

SHA256
abfa49a915d2e0a82561ca440365e6a2d59f228533b56a8f78addf000a1081b3

SHA512
b8ff3dc65f7c0e03721572af738ec4886ba895dc70c1a41a3ce8c8abe0946d167cec71913017fd11d5892452db761ea88901a5a09a681ae779dd531edbb83a2a

Download Submit
\Users\Admin\AppData\Local\Temp\popcfg2\vcredist_x86.exe
Filesize
4.0MB

MD5
5689d43c3b201dd3810fa3bba4a6476a

SHA1
6939100e397cef26ec22e95e53fcd9fc979b7bc9

SHA256
41f45a46ee56626ff2699d525bb56a3bb4718c5ca5f4fb5b3b38add64584026b

SHA512
4875134c664503242ec60717232f2917edca20286fc4b675223edbbe5dc0239ebfaf8f67edd76fedcaa2be5419490dc6f47930ca260e6c9988ccf242416c204b

Download Submit
\Users\Admin\Downloads\plants-vs-zombies.exe
Filesize
40.7MB

MD5
de23cdebf6842a725646c5bfa31ad38c

SHA1
f65a99a478d44d2f0a660fc7b8cb6110ca2363f5

SHA256
ee276706679fa28fd0310cca7bcd35ff8d4fdeb9335affdd9555bf491ee39995

SHA512
bb6ec6f09b36c9fcf422b9871e16b4fc217f6adae1cd785a48dada3f04bafb2d9f3de6bf9acbe259f1146ae6a59ade62c5833eeb0b9c526c02fa0c876603dab6

Download Submit
memory/364-70-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/364-64-0x0000000000000000-mapping.dmp

Download
memory/364-85-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/364-67-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/364-79-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/788-77-0x0000000007640000-0x000000000764F000-memory.dmp

Filesize
60KB

Download
memory/788-72-0x0000000000000000-mapping.dmp

Download
memory/840-88-0x0000000000000000-mapping.dmp

Download
memory/1008-81-0x0000000000000000-mapping.dmp

Download
memory/1536-54-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/1536-86-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1536-61-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1536-55-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1620-93-0x0000000000000000-mapping.dmp

Download
memory/1740-101-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download
memory/1792-62-0x0000000074241000-0x0000000074243000-memory.dmp

Filesize
8KB

Download
memory/1792-58-0x0000000000000000-mapping.dmp

Download