quasar | 344b9876db6b8649b9d65448a715b1923011ea9146e116908eb4d35bd8fa3af6

Analysis

max time kernel
303s
max time network
304s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Passware Kit Forensic 2021 Pre-patched retail installer.exe
Size

381.5MB
MD5

298faa0669e7d439d1ba4a3d641cc619
SHA1

093f271f3c1b4b6e6b948ee61b01ac2c7c02a0fd
SHA256

344b9876db6b8649b9d65448a715b1923011ea9146e116908eb4d35bd8fa3af6
SHA512

0cca0f0e1f1fae77eba6f438ce53c9542811533d9015a24bebaf4fce4ba936a7642c51f25bec74171e60591f10d8bdf7f76e8e49f27e640209b81bdfcfcbda01
SSDEEP

6291456:hVqIbo0MM0kYOnyEBVToKg+IKiwA4kB88xU+WDyb/B/22aMBb7WDnexkq50NguO2:6Is0XRBV3LR4B8vm/hqMdWLeW00NgBa

Score

10^/10

quasar defense_evasion discovery execution persistence privilege_escalation spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/1788-130-0x0000000000400000-0x0000000000466000-memory.dmp	family_quasar
behavioral1/memory/1788-129-0x0000000000400000-0x0000000000466000-memory.dmp	family_quasar
behavioral1/memory/1788-127-0x0000000000400000-0x0000000000466000-memory.dmp	family_quasar
behavioral1/memory/1788-124-0x0000000000400000-0x0000000000466000-memory.dmp	family_quasar
behavioral1/memory/1788-122-0x0000000000400000-0x0000000000466000-memory.dmp	family_quasar

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/files/0x0005000000004ed7-90.dat	Nirsoft

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2096	powershell.exe

System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 3 IoCs

Abuse Regasm to proxy execution of malicious code.

defense_evasion

Regsvcs/Regasm

T1218.009

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RegAsm.exe	ConsoleApp3.exe
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe	ConsoleApp3.exe
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe	cmd.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	PasswareKitForensic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	PasswareKitForensic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	PasswareKitForensic.exe

Executes dropped EXE 14 IoCs

pid	Process
2808	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1284	Process not Found
2988	ConsoleApp3.exe
2124	AdvancedRun.exe
2284	AdvancedRun.exe
588	AdvancedRun.exe
1436	AdvancedRun.exe
1788	RegAsm.exe
2084	RegAsm.exe
1704	PasswareKitForensic.exe
3036	PasswareKitForensic.exe
920	PasswareKitForensic.exe
960	PasswareKitForensic.exe
3012	PasswareKitForensic.exe

Loads dropped DLL 49 IoCs

pid	Process
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1284	Process not Found
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1224	MsiExec.exe
1224	MsiExec.exe
2988	ConsoleApp3.exe
2988	ConsoleApp3.exe
2124	AdvancedRun.exe
2124	AdvancedRun.exe
2988	ConsoleApp3.exe
2988	ConsoleApp3.exe
588	AdvancedRun.exe
588	AdvancedRun.exe
2988	ConsoleApp3.exe
1788	RegAsm.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1640	cmd.exe
2084	RegAsm.exe
1224	MsiExec.exe
1224	MsiExec.exe
2284	MsiExec.exe
2464	MsiExec.exe
2464	MsiExec.exe
2284	MsiExec.exe
2284	MsiExec.exe
2284	MsiExec.exe
2464	MsiExec.exe
1140	msiexec.exe
1140	msiexec.exe
2284	MsiExec.exe
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1704	PasswareKitForensic.exe
3036	PasswareKitForensic.exe
920	PasswareKitForensic.exe
960	PasswareKitForensic.exe
920	PasswareKitForensic.exe
920	PasswareKitForensic.exe
920	PasswareKitForensic.exe
3012	PasswareKitForensic.exe
1284	Process not Found
3012	PasswareKitForensic.exe
3012	PasswareKitForensic.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\KitForensic = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Passware Kit Forensic\\KitForensic.exe\""	ConsoleApp3.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2332	msiexec.exe
5	2332	msiexec.exe
10	1140	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 1788	2988	ConsoleApp3.exe	45

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Irish\length26	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Polish\length32	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Romanian\length13-volume2	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Romanian\length18	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\locales\fr.pak	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\German\length12	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Dutch\length32	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Finnish\length28	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Slovenian\length8-volume1	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\chrome_200_percent.pak	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\KoreLogic\KoreLogicRulesPrepend4LetterMonths.pwm	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Portuguese\length15	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\app.asar.unpacked\mobile.node	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Italian\length17	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Spanish\length10	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Bulgarian\length20	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Russian\length13	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Italian\index	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Polish\length28	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Russian\length10	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Slovenian\length28	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Spanish\length18	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Bulgarian\length15	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Bulgarian\length23	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\German\length7	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Swedish\length27	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Finnish\length8	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\German\length22	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Dutch\length25	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\English\length3	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Finnish\length25	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Italian\length21	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Portuguese\length4	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Slovenian\length30	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Danish\length25	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Danish\length29	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Spanish\length22	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Estonian\length13	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Russian\length4	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\locales\zh\translation.json	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\agents\agent-win32-x64.pkg.cert	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Arabic\length8-volume1	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Polish\length15	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Polish\length16	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Portuguese\length12	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Romanian\length25	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Danish\length16	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\German\length9	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Spanish\length10-volume1	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Spanish\length7	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Dutch\length35	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Greek\length15	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\German\length8	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Portuguese\length7	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Slovenian\length3	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Dutch\length17	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\German\length30	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\German\length34	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Romanian\length12-volume1	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Romanian\length12-volume2	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Arabic\length14	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Bulgarian\length12-volume1	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\English\length15	msiexec.exe
File created	C:\Program Files\Passware\Passware Kit 2021\resources\dictionaries\Swedish\length18	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f7a65a6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C71.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E76.tmp	msiexec.exe
File created	C:\Windows\Installer\f7a65a9.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f7a65a6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F04.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI6F24.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI72FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8596.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7a65a7.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f7a65a7.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E56.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7280.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82C7.tmp	msiexec.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
588	AdvancedRun.exe
2124	AdvancedRun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1740	1788	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ConsoleApp3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passware Kit Forensic 2021 Pre-patched retail installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1580	PING.EXE

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1580	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2124	AdvancedRun.exe
2124	AdvancedRun.exe
2284	AdvancedRun.exe
2284	AdvancedRun.exe
588	AdvancedRun.exe
588	AdvancedRun.exe
1436	AdvancedRun.exe
1436	AdvancedRun.exe
2988	ConsoleApp3.exe
2988	ConsoleApp3.exe
2988	ConsoleApp3.exe
2096	powershell.exe
1140	msiexec.exe
1140	msiexec.exe
3036	PasswareKitForensic.exe
960	PasswareKitForensic.exe
3012	PasswareKitForensic.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2332	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2332	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2332	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeSecurityPrivilege	1140	msiexec.exe
Token: SeCreateTokenPrivilege	2332	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2332	msiexec.exe
Token: SeLockMemoryPrivilege	2332	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2332	msiexec.exe
Token: SeMachineAccountPrivilege	2332	msiexec.exe
Token: SeTcbPrivilege	2332	msiexec.exe
Token: SeSecurityPrivilege	2332	msiexec.exe
Token: SeTakeOwnershipPrivilege	2332	msiexec.exe
Token: SeLoadDriverPrivilege	2332	msiexec.exe
Token: SeSystemProfilePrivilege	2332	msiexec.exe
Token: SeSystemtimePrivilege	2332	msiexec.exe
Token: SeProfSingleProcessPrivilege	2332	msiexec.exe
Token: SeIncBasePriorityPrivilege	2332	msiexec.exe
Token: SeCreatePagefilePrivilege	2332	msiexec.exe
Token: SeCreatePermanentPrivilege	2332	msiexec.exe
Token: SeBackupPrivilege	2332	msiexec.exe
Token: SeRestorePrivilege	2332	msiexec.exe
Token: SeShutdownPrivilege	2332	msiexec.exe
Token: SeDebugPrivilege	2332	msiexec.exe
Token: SeAuditPrivilege	2332	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2332	msiexec.exe
Token: SeChangeNotifyPrivilege	2332	msiexec.exe
Token: SeRemoteShutdownPrivilege	2332	msiexec.exe
Token: SeUndockPrivilege	2332	msiexec.exe
Token: SeSyncAgentPrivilege	2332	msiexec.exe
Token: SeEnableDelegationPrivilege	2332	msiexec.exe
Token: SeManageVolumePrivilege	2332	msiexec.exe
Token: SeImpersonatePrivilege	2332	msiexec.exe
Token: SeCreateGlobalPrivilege	2332	msiexec.exe
Token: SeCreateTokenPrivilege	2332	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2332	msiexec.exe
Token: SeLockMemoryPrivilege	2332	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2332	msiexec.exe
Token: SeMachineAccountPrivilege	2332	msiexec.exe
Token: SeTcbPrivilege	2332	msiexec.exe
Token: SeSecurityPrivilege	2332	msiexec.exe
Token: SeTakeOwnershipPrivilege	2332	msiexec.exe
Token: SeLoadDriverPrivilege	2332	msiexec.exe
Token: SeSystemProfilePrivilege	2332	msiexec.exe
Token: SeSystemtimePrivilege	2332	msiexec.exe
Token: SeProfSingleProcessPrivilege	2332	msiexec.exe
Token: SeIncBasePriorityPrivilege	2332	msiexec.exe
Token: SeCreatePagefilePrivilege	2332	msiexec.exe
Token: SeCreatePermanentPrivilege	2332	msiexec.exe
Token: SeBackupPrivilege	2332	msiexec.exe
Token: SeRestorePrivilege	2332	msiexec.exe
Token: SeShutdownPrivilege	2332	msiexec.exe
Token: SeDebugPrivilege	2332	msiexec.exe
Token: SeAuditPrivilege	2332	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2332	msiexec.exe
Token: SeChangeNotifyPrivilege	2332	msiexec.exe
Token: SeRemoteShutdownPrivilege	2332	msiexec.exe
Token: SeUndockPrivilege	2332	msiexec.exe
Token: SeSyncAgentPrivilege	2332	msiexec.exe
Token: SeEnableDelegationPrivilege	2332	msiexec.exe
Token: SeManageVolumePrivilege	2332	msiexec.exe
Token: SeImpersonatePrivilege	2332	msiexec.exe
Token: SeCreateGlobalPrivilege	2332	msiexec.exe
Token: SeCreateTokenPrivilege	2332	msiexec.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
2332	msiexec.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
2332	msiexec.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe
1704	PasswareKitForensic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1788	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2808	1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe	31
PID 1672 wrote to memory of 2808	1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe	31
PID 1672 wrote to memory of 2808	1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe	31
PID 1672 wrote to memory of 2808	1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe	31
PID 2808 wrote to memory of 2332	2808	Passware Kit Forensic 2021 Pre-patched retail installer.exe	32
PID 2808 wrote to memory of 2332	2808	Passware Kit Forensic 2021 Pre-patched retail installer.exe	32
PID 2808 wrote to memory of 2332	2808	Passware Kit Forensic 2021 Pre-patched retail installer.exe	32
PID 2808 wrote to memory of 2332	2808	Passware Kit Forensic 2021 Pre-patched retail installer.exe	32
PID 2808 wrote to memory of 2332	2808	Passware Kit Forensic 2021 Pre-patched retail installer.exe	32
PID 1672 wrote to memory of 2988	1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe	33
PID 1672 wrote to memory of 2988	1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe	33
PID 1672 wrote to memory of 2988	1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe	33
PID 1672 wrote to memory of 2988	1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe	33
PID 1672 wrote to memory of 2988	1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe	33
PID 1672 wrote to memory of 2988	1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe	33
PID 1672 wrote to memory of 2988	1672	Passware Kit Forensic 2021 Pre-patched retail installer.exe	33
PID 1140 wrote to memory of 1224	1140	msiexec.exe	35
PID 1140 wrote to memory of 1224	1140	msiexec.exe	35
PID 1140 wrote to memory of 1224	1140	msiexec.exe	35
PID 1140 wrote to memory of 1224	1140	msiexec.exe	35
PID 1140 wrote to memory of 1224	1140	msiexec.exe	35
PID 2988 wrote to memory of 2124	2988	ConsoleApp3.exe	36
PID 2988 wrote to memory of 2124	2988	ConsoleApp3.exe	36
PID 2988 wrote to memory of 2124	2988	ConsoleApp3.exe	36
PID 2988 wrote to memory of 2124	2988	ConsoleApp3.exe	36
PID 2124 wrote to memory of 2284	2124	AdvancedRun.exe	37
PID 2124 wrote to memory of 2284	2124	AdvancedRun.exe	37
PID 2124 wrote to memory of 2284	2124	AdvancedRun.exe	37
PID 2124 wrote to memory of 2284	2124	AdvancedRun.exe	37
PID 2988 wrote to memory of 588	2988	ConsoleApp3.exe	38
PID 2988 wrote to memory of 588	2988	ConsoleApp3.exe	38
PID 2988 wrote to memory of 588	2988	ConsoleApp3.exe	38
PID 2988 wrote to memory of 588	2988	ConsoleApp3.exe	38
PID 588 wrote to memory of 1436	588	AdvancedRun.exe	39
PID 588 wrote to memory of 1436	588	AdvancedRun.exe	39
PID 588 wrote to memory of 1436	588	AdvancedRun.exe	39
PID 588 wrote to memory of 1436	588	AdvancedRun.exe	39
PID 2988 wrote to memory of 1768	2988	ConsoleApp3.exe	42
PID 2988 wrote to memory of 1768	2988	ConsoleApp3.exe	42
PID 2988 wrote to memory of 1768	2988	ConsoleApp3.exe	42
PID 2988 wrote to memory of 1768	2988	ConsoleApp3.exe	42
PID 1768 wrote to memory of 2096	1768	WScript.exe	43
PID 1768 wrote to memory of 2096	1768	WScript.exe	43
PID 1768 wrote to memory of 2096	1768	WScript.exe	43
PID 1768 wrote to memory of 2096	1768	WScript.exe	43
PID 2988 wrote to memory of 1788	2988	ConsoleApp3.exe	45
PID 2988 wrote to memory of 1788	2988	ConsoleApp3.exe	45
PID 2988 wrote to memory of 1788	2988	ConsoleApp3.exe	45
PID 2988 wrote to memory of 1788	2988	ConsoleApp3.exe	45
PID 2988 wrote to memory of 1788	2988	ConsoleApp3.exe	45
PID 2988 wrote to memory of 1788	2988	ConsoleApp3.exe	45
PID 2988 wrote to memory of 1788	2988	ConsoleApp3.exe	45
PID 2988 wrote to memory of 1788	2988	ConsoleApp3.exe	45
PID 2988 wrote to memory of 1788	2988	ConsoleApp3.exe	45
PID 2988 wrote to memory of 1788	2988	ConsoleApp3.exe	45
PID 2988 wrote to memory of 1788	2988	ConsoleApp3.exe	45
PID 2988 wrote to memory of 1788	2988	ConsoleApp3.exe	45
PID 1788 wrote to memory of 1640	1788	RegAsm.exe	46
PID 1788 wrote to memory of 1640	1788	RegAsm.exe	46
PID 1788 wrote to memory of 1640	1788	RegAsm.exe	46
PID 1788 wrote to memory of 1640	1788	RegAsm.exe	46
PID 1788 wrote to memory of 1740	1788	RegAsm.exe	48
PID 1788 wrote to memory of 1740	1788	RegAsm.exe	48
PID 1788 wrote to memory of 1740	1788	RegAsm.exe	48

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Passware Kit Forensic 2021 Pre-patched retail installer.exe
"C:\Users\Admin\AppData\Local\Temp\Passware Kit Forensic 2021 Pre-patched retail installer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\NvTelemetry\Passware Kit Forensic 2021 Pre-patched retail installer.exe
  "C:\Users\Admin\AppData\Local\Temp\NvTelemetry\Passware Kit Forensic 2021 Pre-patched retail installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\msiexec.exe
    msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI168D.tmp
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2332
  - - C:\Program Files\Passware\Passware Kit 2021\PasswareKitForensic.exe
      "C:\Program Files\Passware\Passware Kit 2021\PasswareKitForensic.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1704
    - - C:\Program Files\Passware\Passware Kit 2021\PasswareKitForensic.exe
        
        "C:\Program Files\Passware\Passware Kit 2021\PasswareKitForensic.exe" --type=gpu-process --field-trial-handle=1080,15233452073931603820,16634458866778948008,131072 --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --service-request-channel-token=8884917715466876583 --mojo-platform-channel-handle=1088 --ignored=" --type=renderer " /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:920
    - - C:\Program Files\Passware\Passware Kit 2021\PasswareKitForensic.exe
        
        "C:\Program Files\Passware\Passware Kit 2021\PasswareKitForensic.exe" --type=utility --field-trial-handle=1080,15233452073931603820,16634458866778948008,131072 --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --service-request-channel-token=1685524464626796508 --mojo-platform-channel-handle=1368 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
    - - C:\Program Files\Passware\Passware Kit 2021\PasswareKitForensic.exe
        
        "C:\Program Files\Passware\Passware Kit 2021\PasswareKitForensic.exe" --type=renderer --field-trial-handle=1080,15233452073931603820,16634458866778948008,131072 --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Program Files\Passware\Passware Kit 2021\resources\app.asar" --node-integration --webview-tag --no-sandbox --no-zygote --background-color=#fff --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=6041817204133817049 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1552 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:960
    - - C:\Program Files\Passware\Passware Kit 2021\PasswareKitForensic.exe
        
        "C:\Program Files\Passware\Passware Kit 2021\PasswareKitForensic.exe" "C:\Program Files\Passware\Passware Kit 2021\resources\app.asar\engine-initializer.js"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
- C:\Users\Admin\AppData\Local\Temp\NvTelemetry\ConsoleApp3.exe
  C:\Users\Admin\AppData\Local\Temp\NvTelemetry\ConsoleApp3.exe
  2⤵
  - System Binary Proxy Execution: Regsvcs/Regasm
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Access Token Manipulation: Create Process with Token
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2124
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2284
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Access Token Manipulation: Create Process with Token
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 588
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1436
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Mjtbwkkhvk.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Passware Kit Forensic\KitForensic.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2096
- - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\G3RUW2G69PaM.bat" "
      4⤵
      System Binary Proxy Execution: Regsvcs/Regasm
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1640
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1500
      4⤵
      Loads dropped DLL
      Program crash
      PID:1740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding E9D0A00E17C47D4DDFADD081D05149E1 C
  2⤵
  - Loads dropped DLL
  PID:1224
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 8581A31B9A3147B68503DB2334BB91F4
  2⤵
  - Loads dropped DLL
  PID:2284
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57A45CC7ACA8157476D7F1082924A41B
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2708

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "00000000000003D0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Modify Registry

T1112

System Binary Proxy Execution

T1218

Regsvcs/Regasm

T1218.009

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7a65a8.rbs

Filesize
201KB

MD5
fe2f6e930930085ac66b2e852571af69

SHA1
16b817aeebe9c2f698baf801f03d2933078dd1e8

SHA256
8ea90ec42f3c76f64a4890da8dbc90090ba28e472de17f0d7e9ea6a78f8ae725

SHA512
411c1643957ab8230626e4476022f9f52dc015f465a562be1dbe719b2b2f5d6e3e4edf4e562b09f990784dffb9dc7a47b3dcc1188e6e5a6ae024f38778229415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fce8f305c654a31e5dbb0731f3854d7a

SHA1
0581a9c2b66b79d3a46c9d8c893c662cc50c235a

SHA256
9aea3aaa80cca99d57afd8d7965c900a3f204635423338d0dea3195d6c1414cd

SHA512
7ba8bf480c134f072927bb92006aa53f67eede5e3fea559c15158503be09f340db0f5e1d92235225f9bcdc6e1cb4cfbdbe0b6e13f13a3049569ddabff5be5cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2416.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\G3RUW2G69PaM.bat

Filesize
203B

MD5
50f7a469dc9fd84731433193b7e02f86

SHA1
2b114ced6383e89664e145650ed7756c55e0f850

SHA256
34b49774b38ac542dd55b2514f9c9918925c225f85aeef80556288a46a376e57

SHA512
6372007ed5c7ed8a33d464ad3755417bc9a00c3d19e1e4c1e84c3489f31bd6f3fb2fec9f51bfc8fe50706fe7aac9c050593e1cdef9d938d4102074795edfcfe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI25F4.tmp

Filesize
3.4MB

MD5
4bef1140a7cadc194f2c20bff8f3b71d

SHA1
fa0e79b3dd1bad013c47ac8e0ded03216d044635

SHA256
a40a496fcfb6ab3935098e2158681e095dc83a66f3984aa01e1f0997208749da

SHA512
c2551a9b758d74d203c49c9bc185bd1dfc022d090718004536757fede4c6e4b8a014f385acc713ab94c83c45b1fbf0c6d5a6f559d4c0c29114344f1200ea0c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2429.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Mjtbwkkhvk.vbs

Filesize
201B

MD5
037e1750f892c1bc7d7e45d0e7735d57

SHA1
32d9b435ac76f32271fed9d602e723a64621bf36

SHA256
a1c60aeef9648ffc3619215635803794319570461d1c51994ad39610aeb6ad59

SHA512
59734b5e8f8ffe76288820ef5a538a3243a23fc085418d69015704372282b59d87c2a8c5a927d87db5bd53e6985f66db6c13d93409da7ea28fb96e7c178d8c82

Download Submit
C:\Users\Admin\AppData\Roaming\Passware\Passware Kit\2018\config.json

Filesize
76B

MD5
10d9c9508ddeb211d66ac44bbead244a

SHA1
25091f6d195875aa8746a5add7476e613124122a

SHA256
e5237d0cbea9dff358ec391de53c272813ba7fcb71d9d16179e2478cf9326e5d

SHA512
d223982b4bd11da7f6ae8391d30c20a1e5949edbf78460951862037c5dc6e0303a7c31039a5f55e7b6d57ce7dc4ef629582c71c712debe42dabda1e91e170304

Download Submit
C:\Users\Admin\AppData\Roaming\Passware\Passware Kit\2018\config.json

Filesize
1KB

MD5
1df99297e6f395c777e96a277bcad6d0

SHA1
cbaf37de2293a2437ca7108146d3ed1f3d27de10

SHA256
519e9c6abd9771e5b99fe2a2d3a8976ea4697eb6b323212292647f7b85e854b1

SHA512
2f56b630e3f5bbdac9d822553bdfe1d3fe5e586ee4fee198dd70041c6e1cac0e8b75891658761c3006e91e4442eb0f06f6970cd533558fe9d4f8660cce288be8

Download Submit
C:\Users\Admin\AppData\Roaming\Passware\Passware Kit\2018\config.json

Filesize
1KB

MD5
095e544838516f78ac19c36c72fc6106

SHA1
b000c21be3478c6e80f9e0321ce546aa85a54947

SHA256
0123e3c5ccceafb7b849652e542250d373492ff74a63aa394e6cabde83f3f0a0

SHA512
7fa59c47fe5af0be91a66355fb2385de9db73d5c42e19720cc3ee82d7b2c70c0ea4b2d066a9fec0f51ed0adf1965bf6feb1c7e4a27ef9caeb31d8207e39c3ecd

Download Submit
C:\Users\Admin\AppData\Roaming\Passware\Passware Kit\2018\config.json

Filesize
1KB

MD5
241845117e07d01f8d46839156f9dc2d

SHA1
a1f5b0eaa65ccaf2ca3d5fd4315074f60abd9ba0

SHA256
73073069da05d89bf656597473e23761b0bfc2df4aa305b9a011678a72c6b52f

SHA512
5dc8b0bcf5e77d3c177ec6f6ef099693146938bdab801f1c26638499323cb9e42372f7e9078858c2e0d31d1e130939273a1a43f2858020a84a7f44414193aa30

Download Submit
C:\Users\Admin\AppData\Roaming\Passware\Passware Kit\2018\config.json

Filesize
1KB

MD5
11201b4b7ac63bdabe0762c8962939f2

SHA1
a5a029f11811cbdf4e091b08a660d1b91393a581

SHA256
506e22b00f5c20178a5eb2c9a633674522e0beed65bde106345aa01be2fae741

SHA512
09aac8033fe84141862f7f9c412d1d55b4cb05c85a34d119aeb2a9eaf6df572803fbc11220abcdc19370a7898e0c389a9d8e2ed5ac45ec9c56068bae2bf893bd

Download Submit
C:\Users\Admin\AppData\Roaming\Passware\Passware Kit\2018\config.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Passware\Passware Kit\2018\config.json.1731047310

Filesize
47B

MD5
8094d9ebb783e84793317facca3dfe06

SHA1
f63c277555ca0ea03c05c6e699c458f23f3588e9

SHA256
d155fae558bc9d9f7a88ca3e6df3f9cfd82a5aea1dd47875a6e593ea29d144a2

SHA512
dbfe3735aa090535eb9bfa07371b9e1008a204a3335a62e2feb849496df557a0c33912a65ff037d511df7cfe14bc0bba3c81a611f3e325485d47a628b541d985

Download Submit
C:\Users\Admin\AppData\Roaming\Passware\Passware Kit\2018\config.json.3886554126

Filesize
1KB

MD5
b68ce014a5a12f0e9f5472cf3d47f50f

SHA1
322dbd881b98dd1198290afb38b6baf613b3c38f

SHA256
89bdd4969cab2b55c69b64cbb254b6840097a6d4bbe8bb91b974ab13dd496a01

SHA512
3c7da88ff7ed0095ec628e51cb6412d5966f00a9f940321bbf9e2ff1b753af98af8deefa628aa92000e6244e14fe9c4a7384a0191df64cbe7f84a1f96bd0e674

Download Submit
C:\Windows\Installer\MSI6E76.tmp

Filesize
118KB

MD5
0a0213ab2116de22ff1eca662f74ed53

SHA1
a6a96f7ab19f72f7ad068b285ab87a28d5a9331a

SHA256
33eac3284885cc1b6709f7c29ed596fc1494a395281105cd3efb2f6c9c91a678

SHA512
4dbb7d4942993f7da5b969a5361c59ba3be064cbdd15425948a0625632cc0ee6af16b0866aadb179818c67bda5dab13aac0c977f423eac785094075a14398d89

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/920-1014-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/920-1050-0x0000000077D70000-0x0000000077D71000-memory.dmp

Filesize
4KB

Download
memory/1788-126-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1788-124-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1788-120-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1788-122-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1788-127-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1788-129-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1788-130-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1788-118-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2084-151-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/2988-23-0x00000000010F0000-0x0000000001140000-memory.dmp

Filesize
320KB

Download
memory/2988-83-0x0000000000910000-0x000000000092C000-memory.dmp

Filesize
112KB

Download
memory/2988-24-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/3012-1086-0x00000000044C0000-0x00000000054C0000-memory.dmp

Filesize
16.0MB

Download