4b4bb4d19fb639e5698983e39d7ad061c7667bcec19056560532c7ad0d67d0e4

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlantsVsZombiesSetup_instalador.exe
Size

40.8MB
MD5

95c188d0e4bff425431bcdfd49d06d25
SHA1

c46979be135ef1c486144fa062466cdc51b740f5
SHA256

4b4bb4d19fb639e5698983e39d7ad061c7667bcec19056560532c7ad0d67d0e4
SHA512

804943b85f968cea2cbc9f0f7a2d55c5d53d00d777e251f6662c60172a3bd8017c4de6ce17d25f58dd8d3031f86f025727f7fa31859eeb50b755a2f61570c839
SSDEEP

786432:kz5Jx9wem1r+qHk/rYmfZ6f8/39RsAaZh9BLTtYHmc9iLMnH:kz5Jzi0ZfZP9iAsBLBYHv6eH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
444	vcredist_x86.exe
2560	install.exe

Loads dropped DLL 3 IoCs

pid	Process
2144	PlantsVsZombiesSetup_instalador.exe
444	vcredist_x86.exe
2560	install.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PopCap Games\Plants vs. Zombies\Install_props.xml	PlantsVsZombiesSetup_instalador.exe
File opened for modification	C:\Program Files (x86)\PopCap Games\Plants vs. Zombies\Install_props.xml	PlantsVsZombiesSetup_instalador.exe
File created	C:\Program Files (x86)\PopCap Games\Plants vs. Zombies\Install.log	PlantsVsZombiesSetup_instalador.exe

Drops file in Windows directory 61 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348117.0\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348071.0\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348133.0\9.0.30729.1.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348039.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348133.0\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348149.0\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348102.0\mfc90ita.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348102.0\mfc90rus.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240708054347852.0	msiexec.exe
File created	\??\c:\Windows\Installer\f76f41f.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348071.0\mfc90.dll	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729\FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729\FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240708054347899.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240708054347977.0	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF72D.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054347977.0\9.0.21022.8.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054347852.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348102.0\mfc90cht.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348102.0\mfc90esn.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348102.0\mfc90esp.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348071.0\mfcm90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348133.1\9.0.30729.1.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054347899.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348102.0\mfc90deu.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054347977.0\9.0.21022.8.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348102.0\mfc90fra.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054347852.0\atl90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348071.0\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348102.0\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348071.0\mfcm90u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348039.0\msvcm90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348117.0\9.0.30729.1.policy	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054347899.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348039.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e.manifest	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\f76f422.ipi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\f76f41f.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240708054348117.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240708054348039.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240708054348133.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240708054348071.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348149.0\9.0.30729.1.policy	msiexec.exe
File created	\??\c:\Windows\Installer\f76f424.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054347899.0\vcomp90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348039.0\msvcp90.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240708054348102.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348133.1\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348102.0\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348102.0\mfc90chs.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348102.0\mfc90enu.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348039.0\msvcr90.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240708054348149.0	msiexec.exe
File created	\??\c:\Windows\Installer\f76f422.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348071.0\mfc90u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054347852.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348102.0\mfc90kor.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240708054348133.1	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240708054348102.0\mfc90jpn.dll	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 52 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\Version = "151025673"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\VC_RED_enu_x86_net_SETUP	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.ATL,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f00410054004c005f007800380036003e007900590067002500610066004a005700640037003800700038006d007200570035002b004d00660000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_MFCLOC_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.MFC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004d00460043005f007800380036003e0049004000790043006a0027006200720045003400710030004c0044006f0059004c007e006600580000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_MFC_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\AuthorizedLUAApp = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.OpenMP,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800380036003e004d004f00700050006d00360078002b0044003400700061006d006600580031006f00390032007a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFCLOC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800380036003e0063002e00410078003f007d0058003200710034003900530045006800470072004b0038007400360000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Net\1 = "c:\\2188ebb19110121f7905\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\LastUsedSource = "n;1;c:\\2188ebb19110121f7905\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_ATL_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_OpenMP_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\PackageName = "vc_red.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.ATL,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f00410054004c005f007800380036003e006500720069002d002e003800540052004600340074006d00310053006a006d00350059005d00380000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.CRT,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004300520054005f007800380036003e00390032002c002b004b006e00240039002e0037006d0024006f0066007000790021004b007400620000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_CRT_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.OpenMP,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800380036003e004d0039002c004f005500350063004d0078003400660069003f00660040007b00300021004400480000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\VC_Redist_12222_x86_enu	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media\1 = ";1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\PackageCode = "6C7E9C94F9A4F6E4EA39E910D4A1AC39"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.CRT,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004300520054005f007800380036003e006b0027005600490037006f00520050007e00370055003d006f0029006d00730026002c003300420000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\Language = "1033"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004d00460043005f007800380036003e004d0072004e0075004700740065007d0054003400240066006f0062004f005000340040004d004d0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.MFCLOC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800380036003e0040006500650034004900600034006b0069003500590047006500590051006300340025007700780000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2144	PlantsVsZombiesSetup_instalador.exe
2144	PlantsVsZombiesSetup_instalador.exe
2452	msiexec.exe
2452	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2560	install.exe
Token: SeIncreaseQuotaPrivilege	2560	install.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeSecurityPrivilege	2452	msiexec.exe
Token: SeCreateTokenPrivilege	2560	install.exe
Token: SeAssignPrimaryTokenPrivilege	2560	install.exe
Token: SeLockMemoryPrivilege	2560	install.exe
Token: SeIncreaseQuotaPrivilege	2560	install.exe
Token: SeMachineAccountPrivilege	2560	install.exe
Token: SeTcbPrivilege	2560	install.exe
Token: SeSecurityPrivilege	2560	install.exe
Token: SeTakeOwnershipPrivilege	2560	install.exe
Token: SeLoadDriverPrivilege	2560	install.exe
Token: SeSystemProfilePrivilege	2560	install.exe
Token: SeSystemtimePrivilege	2560	install.exe
Token: SeProfSingleProcessPrivilege	2560	install.exe
Token: SeIncBasePriorityPrivilege	2560	install.exe
Token: SeCreatePagefilePrivilege	2560	install.exe
Token: SeCreatePermanentPrivilege	2560	install.exe
Token: SeBackupPrivilege	2560	install.exe
Token: SeRestorePrivilege	2560	install.exe
Token: SeShutdownPrivilege	2560	install.exe
Token: SeDebugPrivilege	2560	install.exe
Token: SeAuditPrivilege	2560	install.exe
Token: SeSystemEnvironmentPrivilege	2560	install.exe
Token: SeChangeNotifyPrivilege	2560	install.exe
Token: SeRemoteShutdownPrivilege	2560	install.exe
Token: SeUndockPrivilege	2560	install.exe
Token: SeSyncAgentPrivilege	2560	install.exe
Token: SeEnableDelegationPrivilege	2560	install.exe
Token: SeManageVolumePrivilege	2560	install.exe
Token: SeImpersonatePrivilege	2560	install.exe
Token: SeCreateGlobalPrivilege	2560	install.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 444	2144	PlantsVsZombiesSetup_instalador.exe	31
PID 2144 wrote to memory of 444	2144	PlantsVsZombiesSetup_instalador.exe	31
PID 2144 wrote to memory of 444	2144	PlantsVsZombiesSetup_instalador.exe	31
PID 2144 wrote to memory of 444	2144	PlantsVsZombiesSetup_instalador.exe	31
PID 2144 wrote to memory of 444	2144	PlantsVsZombiesSetup_instalador.exe	31
PID 2144 wrote to memory of 444	2144	PlantsVsZombiesSetup_instalador.exe	31
PID 2144 wrote to memory of 444	2144	PlantsVsZombiesSetup_instalador.exe	31
PID 444 wrote to memory of 2560	444	vcredist_x86.exe	32
PID 444 wrote to memory of 2560	444	vcredist_x86.exe	32
PID 444 wrote to memory of 2560	444	vcredist_x86.exe	32
PID 444 wrote to memory of 2560	444	vcredist_x86.exe	32
PID 444 wrote to memory of 2560	444	vcredist_x86.exe	32
PID 444 wrote to memory of 2560	444	vcredist_x86.exe	32
PID 444 wrote to memory of 2560	444	vcredist_x86.exe	32

C:\Users\Admin\AppData\Local\Temp\PlantsVsZombiesSetup_instalador.exe
"C:\Users\Admin\AppData\Local\Temp\PlantsVsZombiesSetup_instalador.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\popcfg2\vcredist_x86.exe
  "C:\Users\Admin\AppData\Local\Temp\popcfg2\vcredist_x86.exe" /q
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:444
- - \??\c:\2188ebb19110121f7905\install.exe
    c:\2188ebb19110121f7905\.\install.exe /q
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2560

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4F50.txt

Filesize
1KB

MD5
5e63d90baacecef4f4169b7fcaafadc6

SHA1
f77db54956c6b6b532121452d12a61eb164254b5

SHA256
87f454add3a04bd760ea0891508845f9a27c0a0aa9ba54d2309fadd2239f0b76

SHA512
12ed143b2a4ed2c4c47c5590d2d0a4c07e2aaa56b4ce1c382a62ec731b13f44c5d7e2378db36bef455af1e4c2c1da8f8e301e90e95261fc233417829331bc9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\popcfg2\defines.xml

Filesize
1KB

MD5
cdaaebdfd3ef6bab4ee3638907902d49

SHA1
3b4e6316c89e1a24643e512d60118498c9c79853

SHA256
8ef0ec424b2a86f718829c67254f9f3cb14a750f72b9d2b711761bf6635cac3f

SHA512
ca125b8079058b2b0e3fdee38c758c8807738a0556293074a269ae018f4a8cb2aabe1ccadc0b2b3355144c897e8d6bfe6cbf667958d7ec76a0a68f83b50ce9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\popcfg2\eula.rtf

Filesize
52KB

MD5
977e662aa64f82e18254938fc04e1cc4

SHA1
d33c0842896d8089037efb5b4924b7b12b5ebe3d

SHA256
5fe1559110c4cf1a53256bdb3d93ad9387295198530405b7d7ea1280c217ec2f

SHA512
90417e5ac7e7f4d1ce1d3d53972f5bdb58f0a57e6aeefb00ad85079991071e9f91a6a8468650e124583a4f5a59df181cde668e5d3aa3565ceb0235cd833ad45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popcfg2\install.xml

Filesize
3KB

MD5
ffae67978e87e939553b867210fa6f79

SHA1
0a3f34219055896a55ee97ebbb4a4ca30b5cb6f4

SHA256
ff0c1899d234fd0300e6953cc4202495db0b3f540c7131671e7e61f73671b165

SHA512
93f5f9d378ba434ea01748abe207ded9f3bc3c4a91945c536754f7a2a114d32e05a0b175c6172dd1d92dfeb0be7339d438e6e9d56640a025b74eede5e98d2931

Download Submit
C:\Users\Admin\AppData\Local\Temp\popcfg2\logo.bmp

Filesize
24KB

MD5
1843d66328cedc1ce60cb98f3d593f4a

SHA1
d84a82214e498123609a13aa54164f972776d33a

SHA256
7f3e2f0ec8926e7911fe024271387657adf8bda95581c6235f995be57ff56ea1

SHA512
f1fa3aa6a62c868d69d17b6ab5e5cb39e4099f971c84c16f6857c6202016ad9104a5f2e188e8721be5ac3ab43c4bc45122e84fff473e4913aed60b4fa3e8c8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\popcfg2\product.bmp

Filesize
19KB

MD5
967b5522d0a7e6c3864cc7239d0e2ba5

SHA1
b59c6c8b92ccfd270e003818c185a2ab556b14d9

SHA256
a46e016098d2322fdcb130e10f73e9c55195719623b7f1889edb5dba229e23c3

SHA512
c9f1f2f425fd3c5541aa5dc0944044923b7417755c3411cc6e50d14982b35a0c785a5c619f0cebcdcf32c9b049f8090b76bd3cb6adc78fe2f5e2df3a82972a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\popcfg2\props.xml

Filesize
6KB

MD5
ed1a4daf65608f02a8bd5a1bb2e19ac6

SHA1
496643241d51f5347f53fc176c69858b65febe6a

SHA256
b0d21cd683d0982eff52f5fe42d8841377110806a2fd1b1d09ea7ccc1893fd14

SHA512
8998362f9fc37dbd535d3cd248aaa43abcbcdfc4dbee308890f41f0ca62073d7658ee398497f15e44a8ea0116a820ea6bf2b57bd7f2baebdf05bd46f49f72606

Download Submit
\2188ebb19110121f7905\install.exe

Filesize
549KB

MD5
33c9213ff5849ef7346799cae4d8ac80

SHA1
5421169811570171e9d2d0a1cdca9665273e7b59

SHA256
3377e31d233ff41aea253e6221815820997763acdf40b005f8791400366cb8ff

SHA512
da0fc3f57156e06c0c37c1fb5176e1b147ce4aa21f519112123722496b04ad4bc3d366e2b51fd78de1ba0304d35bfd5e5fc95cabc2b3eb174f77636a8fa162a1

Download Submit
\??\c:\2188ebb19110121f7905\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\2188ebb19110121f7905\install.ini

Filesize
844B

MD5
5feaa6a36fea7dfdb88c18d69ba6d6a9

SHA1
7afd91a7b046d68b6ee9fd367bcd7a4fec546216

SHA256
67a50ffbb8a1d500eaa4d9f0227d6a8595a2750154e6b31662fc4f51286e47fc

SHA512
6c8c0456f232a02a49d51b3f1a830a18b9078e621cd0dc3f4f76f79b83035e8affac67bce3af9a37fa9096a34a8499c59cf982b63a4b2400b9190d2db293e682

Download Submit
\??\c:\2188ebb19110121f7905\install.res.1033.dll

Filesize
89KB

MD5
8e97ea8a1ed69806232e8743f9a28706

SHA1
e911d3802e64f9be0e1ac68865bbcc92624d6a1f

SHA256
2893b1b9751f833d4a3ded7c1fba1a96cada2927a2349c5d751365eed647c100

SHA512
aa57fe0b822145aa1d8eb72f9735ef5d92036f24c4c80392799d701447d18ea510331f5653b39c43dc923cd0f1a61bf87be0f8a4927f6e3754d19ac76fd443c3

Download Submit
\??\c:\2188ebb19110121f7905\vc_red.cab

Filesize
3.7MB

MD5
ecca3c1acb74cb73c600eabdd3f9c9d9

SHA1
f015759f623c377494a5996670204f1fcd0895e3

SHA256
43b7648183347374236296f2176c7c7da920da9c1a08adda761e12614efb299e

SHA512
2785b8e8cfc310ec114cee696c5b85900fc71186dcbf0c99a9c13f4f0fdcc9e9dd583c9d1fd82492a680efcd7071c3593b02b628bd947bc19b1302b931aca807

Download Submit
\??\c:\2188ebb19110121f7905\vc_red.msi

Filesize
227KB

MD5
6e17361f8e53b47656bcf0ed90ade095

SHA1
bce290a700e31579356f7122fb38ce3be452628a

SHA256
8811e5fe167223d906701bc8deb789de0a731e888e285834bcae164b03d43c96

SHA512
a566fc8bbb4d354db32f13de2fde73a1210c61b1c30a1be22b16c7e98b8d51c673259c57a924b04035cb9f0bf4a087a3e8b32221e7ff87032cddc840ffe3ed2f

Download Submit
\Users\Admin\AppData\Local\Temp\popcfg2\vcredist_x86.exe

Filesize
4.0MB

MD5
5689d43c3b201dd3810fa3bba4a6476a

SHA1
6939100e397cef26ec22e95e53fcd9fc979b7bc9

SHA256
41f45a46ee56626ff2699d525bb56a3bb4718c5ca5f4fb5b3b38add64584026b

SHA512
4875134c664503242ec60717232f2917edca20286fc4b675223edbbe5dc0239ebfaf8f67edd76fedcaa2be5419490dc6f47930ca260e6c9988ccf242416c204b

Download Submit