541d0a7d8ba42e1abee5ba2fb9e79876468f014bdf082e77047cd288eb28ccc6

Resubmissions

17-06-2024 01:11

240617-bjx85s1fnr 7

17-06-2024 01:06

240617-bf23xsxard 3

Analysis

max time kernel
1799s
max time network
1751s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
17-06-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Plants-VS-Zombies-Game-Of-The-Year-Edition-Steamrip-com.rar
Size

75.7MB
MD5

cc7306208a5a2af54aee36fccb1297fe
SHA1

f5e4296f909c60403d32e4d5652cedb51406fe3b
SHA256

541d0a7d8ba42e1abee5ba2fb9e79876468f014bdf082e77047cd288eb28ccc6
SHA512

7bce0195be710ff9d0f54890126bfd6958b9dbbe2548175112bde86803b7e129797ebfc00120811d6a37ddcc36f43f04f70e02c3dc071daaab7fa3952285c000
SSDEEP

1572864:+k2El0vhua3Qx/MdFiXgpMs1kTfx0qU/nn3tBUKKjGQts+apoqspWi7HrJ:qp3QxEPiXgpMJTfxc/nn45iQt5H2SHrJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3688	PlantsVsZombies.exe

Loads dropped DLL 2 IoCs

pid	Process
3688	PlantsVsZombies.exe
3688	PlantsVsZombies.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0000000001000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1672260578-815027929-964132517-1000\{3248B188-0157-42AE-92FF-5336BC8468D7}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1672260578-815027929-964132517-1000\{57CA581C-3642-462B-A36C-3F0AE1B5E800}	svchost.exe
Key created	\Registry\User\S-1-5-21-1672260578-815027929-964132517-1000_Classes\NotificationData	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000a858c47a110050524f4752417e310000740009000400efbec5525961a858c47a2e0000003f0000000000010000000000000000004a00000000007e9dda00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1672260578-815027929-964132517-1000\{848D7B45-E392-4B03-9833-C5CD49399313}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3248	OpenWith.exe
4056	OpenWith.exe
3688	PlantsVsZombies.exe
572	Taskmgr.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	2728	7zG.exe
Token: 35	2728	7zG.exe
Token: SeSecurityPrivilege	2728	7zG.exe
Token: SeSecurityPrivilege	2728	7zG.exe
Token: 33	1380	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1380	AUDIODG.EXE
Token: SeDebugPrivilege	572	Taskmgr.exe
Token: SeSystemProfilePrivilege	572	Taskmgr.exe
Token: SeCreateGlobalPrivilege	572	Taskmgr.exe
Token: SeSecurityPrivilege	572	Taskmgr.exe
Token: SeTakeOwnershipPrivilege	572	Taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2728	7zG.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe
572	Taskmgr.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
2752	OpenWith.exe
4056	OpenWith.exe
4744	MiniSearchHost.exe
1120	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 572	1872	cmd.exe	100
PID 1872 wrote to memory of 572	1872	cmd.exe	100

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Plants-VS-Zombies-Game-Of-The-Year-Edition-Steamrip-com.rar
1⤵
- Modifies registry class
PID:1832

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3800

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2752

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Plants-VS-Zombies-Game-Of-The-Year-Edition-Steamrip-com\" -spe -an -ai#7zMap32127:190:7zEvent24468
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2728

C:\Users\Admin\Desktop\Plants-VS-Zombies-Game-Of-The-Year-Edition-Steamrip-com\Plants vs. Zombies GOTY Edition\PlantsVsZombies.exe
"C:\Users\Admin\Desktop\Plants-VS-Zombies-Game-Of-The-Year-Edition-Steamrip-com\Plants vs. Zombies GOTY Edition\PlantsVsZombies.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:3688

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:5112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:3888

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:1572

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\system32\Taskmgr.exe
  taskmgr.exe
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
92325191721c8cf6addf0e95d033207e

SHA1
a9878afb783e4aca350fcbe04e3bc07b08cd60aa

SHA256
2b80f94048c70272ecedafe822fbebf967bb77c041db89f63c9b3258b485ceb5

SHA512
7c387f403e4f5ec55f72b6e8d898e30aa40f8892baa5c1424111349d65510b633f66fdc6e739f40b6fc1d0746a4fb1fc80e9b1834987ea79e0e2ccd8be36dc88

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
e9aa12ff0be6d995ed86f8cf88678158

SHA1
e5ee38fc2ebef0fcbc3059dee29b39f7daf21931

SHA256
f35cd8ef03ac924a59943c5dfffc31ab67a8b5aff272e9f47ff776aabc7ee561

SHA512
95a67acd2a4784b87d73910c1f1f590937c9d9b901e98448556a37eb8137ae5f458f1c673d65a46cf7d6b90bee5fe6b102ce3eeac9e819062cd9c5c2418bcbfc

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
f6cf8a445e1a471d6dff34d1abb8efdb

SHA1
57e4448a4b9475bb529dd7bb3a9808e6e0400b76

SHA256
355f4081dc19d2bfd40aa473a1f76ff02912cf04906b9af9dd62edb0646e1c5a

SHA512
64e33a1eb07c42dbd55ad342b35b34487b9a659205e0f0a5f6605135f5b710deb4882af894fb1c807e0d48a5acffdf3911740ae6c0eacaa4c173f64351deb3d2

Download Submit
C:\Users\Admin\Desktop\Plants-VS-Zombies-Game-Of-The-Year-Edition-Steamrip-com\Plants vs. Zombies GOTY Edition\PlantsVsZombies.exe

Filesize
3.4MB

MD5
d87a32d1be3e8bef5edd8100486b06f8

SHA1
96e9c4e7ac8963638ba9b06bd08badf8bc7c87ac

SHA256
48e28b4a6838061d49d4d83fe891320235b0895208e30e199fb21fd89980a672

SHA512
9657d1d31c369e677000bc8e1117ec4dd0a69334312faa433fc4975c7cfb1157a2f64dbb1ca125b8f1bba1d5510948ddd3f40409ddd818127bd09da9ebe1b648

Download Submit
C:\Users\Admin\Desktop\Plants-VS-Zombies-Game-Of-The-Year-Edition-Steamrip-com\Plants vs. Zombies GOTY Edition\bass.dll

Filesize
90KB

MD5
6731f160e001bb85ba930574b8d42776

SHA1
aa2b48c55d9350be1ccf1dce921c33100e627378

SHA256
3627adef7e04dd7aa9b8e116d0afc11dcee40d0e09d573210a4f86bdc81a80b6

SHA512
07ae0cb85464b015b35e6157228775a6ac66e5e62a1b47f9395307b61176b6df835e00a1518846507718acffc271263008cc8a9b2c1e8a0192c5438774e12437

Download Submit
C:\Users\Admin\Desktop\Plants-VS-Zombies-Game-Of-The-Year-Edition-Steamrip-com\Plants vs. Zombies GOTY Edition\main.pak

Filesize
43.3MB

MD5
26392c2433caff44251b9eecd4500546

SHA1
9d042fd889151627a4a05451f50c52c1ebc1a6f1

SHA256
5878326408285cb01f83b4fa4edcc66d65e727f6d6ee88563b5b3b287dd259fc

SHA512
4e3d75f34f6b1d192dae693b3baccb32b84d6877a0c355c75a0959d62b179fda46133819e7512c409cc5b0033741966abc3e0ce665000703e836b5e7d3a61c1c

Download Submit
C:\Users\Admin\Desktop\Plants-VS-Zombies-Game-Of-The-Year-Edition-Steamrip-com\Plants vs. Zombies GOTY Edition\properties\default.xml

Filesize
2KB

MD5
8ed72e354fe6a65452203fa8af42bee5

SHA1
52d7b0a691822d4a302ea633d1e7a68f611b6888

SHA256
4a051495830ca117435c2972dda5af7a4355d33964d904c335eb140dcf2e904c

SHA512
e06ad321fdeea3a08d64859fc25d41d2de36e1dae02ebf778ebaadfaa90ed06229e60f3f3c4bdc4ad3bbe6808b9e175528620ea62f2dd30cba9c0d2c37169fe8

Download Submit
C:\Users\Admin\Desktop\Plants-VS-Zombies-Game-Of-The-Year-Edition-Steamrip-com\Plants vs. Zombies GOTY Edition\properties\partner.xml

Filesize
667B

MD5
03e40048514022bc30a95dd4129ea85f

SHA1
be5833c0eac7aa145c4ac827ac54fe6ead280892

SHA256
4e7ff623b419e36feb578eaccb5e80b838290b01c2d2ae282a0648cecbd80290

SHA512
c85d3faeb98196896f0c269bd194dbfaf9aa42df833b1ddcedc2464ccc02c90f2583fd0a271e2e0cf244e357d5fcb2d9c0feb2c5a35c0a1088f6f2dea9a4b5ee

Download Submit
C:\Users\Admin\Desktop\Plants-VS-Zombies-Game-Of-The-Year-Edition-Steamrip-com\Plants vs. Zombies GOTY Edition\properties\partner.xml.sig

Filesize
24B

MD5
43692852271755b4b8a3700255e144cd

SHA1
0c25a72a1ee4006b0a63dfb2b9c0369fedb688ef

SHA256
ca5b57ce55e4c7dac8086656e7b63c41d56e1cc98a6208391f6fbfa800887537

SHA512
bb89a39489647a9aac58cda774573f169eaecfdc8d606708dbaefc62a7a2257036bec74bff65c35d0cd6f4cc9c266284895dbdd7dd087b5ae9ff11436b53986b

Download Submit
C:\Users\Admin\Desktop\Plants-VS-Zombies-Game-Of-The-Year-Edition-Steamrip-com\Plants vs. Zombies GOTY Edition\properties\partner_logo.jpg

Filesize
5KB

MD5
834e499dfc1116d26c3b229f69019149

SHA1
6eb52bf63ec5265faa360abebf2b7f634696f0b1

SHA256
8bea233c40ddf74decf3ddd0a3d4cef8e1229ca3a756384e78d319aca0b63113

SHA512
c5ac5f9b41ff6af9d132c0f4c8a9e6a841261f24bd7e9eaac1864d87489639516af348271e11b60df959711d65af9bdc59337d0d6a718cbd10f17beefd93380b

Download Submit
C:\Users\Admin\Desktop\Plants-VS-Zombies-Game-Of-The-Year-Edition-Steamrip-com\Plants vs. Zombies GOTY Edition\steam_api.dll

Filesize
113KB

MD5
c6577b2e9c7c3e98799081534de8494f

SHA1
730a6770f80f6bc6beeb4cd58f441d9f756c353d

SHA256
8d567f209dffdac48e3f65acdf94b33d076b908df63eb531602437987a708b82

SHA512
e82691e86093bd1d76d2dcb1aeef0f37ae69847099e0efcd97d689a54a2f1323fdaee7de266b1f9aff35cde4a0129f125113646816ead073e3a757189805fdcb

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/572-390-0x0000021512080000-0x0000021512081000-memory.dmp

Filesize
4KB

Download
memory/572-385-0x0000021512080000-0x0000021512081000-memory.dmp

Filesize
4KB

Download
memory/572-389-0x0000021512080000-0x0000021512081000-memory.dmp

Filesize
4KB

Download
memory/572-391-0x0000021512080000-0x0000021512081000-memory.dmp

Filesize
4KB

Download
memory/572-392-0x0000021512080000-0x0000021512081000-memory.dmp

Filesize
4KB

Download
memory/572-393-0x0000021512080000-0x0000021512081000-memory.dmp

Filesize
4KB

Download
memory/572-394-0x0000021512080000-0x0000021512081000-memory.dmp

Filesize
4KB

Download
memory/572-395-0x0000021512080000-0x0000021512081000-memory.dmp

Filesize
4KB

Download
memory/572-383-0x0000021512080000-0x0000021512081000-memory.dmp

Filesize
4KB

Download
memory/572-384-0x0000021512080000-0x0000021512081000-memory.dmp

Filesize
4KB

Download
memory/3688-400-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-414-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-381-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-380-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-379-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-378-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-377-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-376-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-372-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-371-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-370-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-349-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-396-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-397-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-398-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-399-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-165-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-401-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-405-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-406-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-407-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-408-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-409-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-410-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-411-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-412-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-413-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-382-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-415-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-416-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-417-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-418-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-419-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-420-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-421-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-422-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-423-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-424-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-425-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-426-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-427-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-428-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-429-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-430-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-431-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-432-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-433-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-434-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-435-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-436-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-437-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-438-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-439-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-440-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3688-441-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download