df07f0f3d9888fd153d5d08f4a8ccb1ba4f2553316d78e101c1800bc42f9ad0c

Resubmissions

12/02/2023, 12:07

230212-paay5sdg59 10

12/02/2023, 11:53

230212-n2lz2sdf89 10

Analysis

max time kernel
547s
max time network
507s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2023, 11:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TortoiseGit-2.14.0.0-64bit.msi
Size

21.6MB
MD5

ca36bf3998301057ab7f4f64a84085f5
SHA1

66353468825a754f384f9c1bd3e34b37bd9071f7
SHA256

df07f0f3d9888fd153d5d08f4a8ccb1ba4f2553316d78e101c1800bc42f9ad0c
SHA512

87ad935e1329a0e6076b3a58e27e149b08adbc516328ecbe47707d41601af9b0277a8a591a5fee723d3d9e9778e123e6434f23d1a930b12d5f10519df6f23636
SSDEEP

393216:348DJa1Zmo8Swa0evzN0eAUAyzziv7asm7sf7SG8aQASSV7e9Jdmq6sbNyPDN:348Vkmz4zN0KA1TgcqarSSV7e4bB

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\lnkfile\shellex\ContextMenuHandlers\TortoiseGit	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TortoiseGit\ = "{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}"	msiexec.exe

Blocklisted process makes network request 9 IoCs

flow	pid	Process
5	4968	msiexec.exe
7	4968	msiexec.exe
16	4968	msiexec.exe
19	4968	msiexec.exe
21	4968	msiexec.exe
25	4968	msiexec.exe
35	4968	msiexec.exe
40	4968	msiexec.exe
82	5028	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4072	TortoiseGitProc.exe
1976	RExC2EF.exe

Loads dropped DLL 25 IoCs

pid	Process
4324	MsiExec.exe
4072	TortoiseGitProc.exe
4072	TortoiseGitProc.exe
4072	TortoiseGitProc.exe
4072	TortoiseGitProc.exe
4072	TortoiseGitProc.exe
4072	TortoiseGitProc.exe
4072	TortoiseGitProc.exe
4072	TortoiseGitProc.exe
4072	TortoiseGitProc.exe
4072	TortoiseGitProc.exe
4088	MsiExec.exe
752	Process not Found
752	Process not Found
752	Process not Found
752	Process not Found
752	Process not Found
752	Process not Found
752	Process not Found
752	Process not Found
752	Process not Found
752	Process not Found
752	Process not Found
752	Process not Found
752	Process not Found

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E453CBA-2AAB-465C-A01E-627A7BE9ED73}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E453CBA-2AAB-465C-A01E-627A7BE9ED73}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A38915E4-A460-4143-8D6B-0B45564C6A00}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1B94B098-57C6-4C39-9DC5-8EB00E423D3E}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9642A3D3-7425-49F6-8F75-6A001F716AED}\LocalServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\GitWCRevCOM.exe /automation"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4E453CBA-2AAB-465C-A01E-627A7BE9ED73}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E453CBA-2AAB-465C-A01E-627A7BE9ED73}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B94B098-57C6-4C39-9DC5-8EB00E423D3E}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B94B098-57C6-4C39-9DC5-8EB00E423D3E}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A38915E4-A460-4143-8D6B-0B45564C6A00}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\TortoiseGit\bin\TortoiseGitBlame.exe	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\TortoiseGit32.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Blip\ReadOnlyIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesVista\LockedIcon.ico	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Professional\LockedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\puttygen.exe	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\package.msix	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Professional\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-crt-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\XPStyle\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\zlib132_tgit.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\Diff-Scripts\diff-odt.vbs	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\msvcp140.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\MufWin7\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Win10\LockedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\dbghelp.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\mfc140rus.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Win10\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Win10\UnversionedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesVista\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\Diff-Scripts\diff-sxw.vbs	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Flat\NormalIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\MufWin7\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Illustration\IgnoredIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Ribbon\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesXP\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesXP\ReadOnlyIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\Languages\en_GB.aff	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Illustration\AddedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Illustration\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\CVSClassic\NormalIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\tgittouch.exe	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-core-processenvironment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\XPStyle\AddedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\zlib1_tgit.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\BlipClean\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Modern\LockedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-core-processthreads-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-crt-stdio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Ribbon\UnversionedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Win10\ReadOnlyIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\BlipClean\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Function\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Function\UnversionedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\mfc140ita.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Professional\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Function\LockedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Subclipse\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\TortoiseGitUDiff.exe	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-core-namedpipe-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Blip\AddedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\SciLexer_tgit.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\Diff-Scripts\diff-nb.vbs	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Function\IgnoredIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-crt-multibyte-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TortoiseOverlays\icons\XPStyle\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Blip\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\Diff-Scripts\diff-xls.js	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Flat\IgnoredIcon.ico	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI39DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{BD164598-BAEE-485E-B56F-6578A8C4C6CE}\TGITIcon	msiexec.exe
File created	C:\Windows\Installer\e5a3701.msi	msiexec.exe
File created	C:\Windows\Installer\e5a36ff.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a36ff.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{BD164598-BAEE-485E-B56F-6578A8C4C6CE}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI451A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{BD164598-BAEE-485E-B56F-6578A8C4C6CE}\TGITIcon	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\895461DBEEABE5845BF656878A4C6CEC\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\895461DBEEABE5845BF656878A4C6CEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\ = "TortoiseGit"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\git\ = "URL: Git Protocol"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A38915E4-A460-4143-8D6B-0B45564C6A00}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\tortoisegit.patch.document\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B94B098-57C6-4C39-9DC5-8EB00E423D3E}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub32.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tortoisegit.patch.document\ = "Patch File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files (x86)\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\TortoiseGitUDiff.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Folder\shellex\DragDropHandlers\TortoiseGit	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2E334DC-2799-4961-9FCC-C324CB5FD205}\1.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\895461DBEEABE5845BF656878A4C6CEC\DictionaryENUS = "DefaultFeature"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\895461DBEEABE5845BF656878A4C6CEC\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\ = "TortoiseGit"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B94B098-57C6-4C39-9DC5-8EB00E423D3E}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tortoisegit.patch.document	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{41886E22-73C4-49E8-8831-37F79CED16FE}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.diff\PerceivedType = "text"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{9642A3D3-7425-49F6-8F75-6A001F716AED}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\tgit	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\github-windows	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\895461DBEEABE5845BF656878A4C6CEC\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files (x86)\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\GitWCRev.object	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TortoiseGit.UrlHandler\shell\open\command\ = "\"C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitProc.exe\" /urlhandler:\"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\895461DBEEABE5845BF656878A4C6CEC	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\smartgit	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}\ = "TortoiseGit"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\LibraryFolder\background\shellex\ContextMenuHandlers\TortoiseGit	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\TortoiseGit\ = "{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\ = "TortoiseSVN"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
868	vlc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5028	msiexec.exe
5028	msiexec.exe
844	powershell.exe
844	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4072	TortoiseGitProc.exe
868	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4968	msiexec.exe
Token: SeSecurityPrivilege	5028	msiexec.exe
Token: SeCreateTokenPrivilege	4968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4968	msiexec.exe
Token: SeLockMemoryPrivilege	4968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4968	msiexec.exe
Token: SeMachineAccountPrivilege	4968	msiexec.exe
Token: SeTcbPrivilege	4968	msiexec.exe
Token: SeSecurityPrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeLoadDriverPrivilege	4968	msiexec.exe
Token: SeSystemProfilePrivilege	4968	msiexec.exe
Token: SeSystemtimePrivilege	4968	msiexec.exe
Token: SeProfSingleProcessPrivilege	4968	msiexec.exe
Token: SeIncBasePriorityPrivilege	4968	msiexec.exe
Token: SeCreatePagefilePrivilege	4968	msiexec.exe
Token: SeCreatePermanentPrivilege	4968	msiexec.exe
Token: SeBackupPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeShutdownPrivilege	4968	msiexec.exe
Token: SeDebugPrivilege	4968	msiexec.exe
Token: SeAuditPrivilege	4968	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4968	msiexec.exe
Token: SeChangeNotifyPrivilege	4968	msiexec.exe
Token: SeRemoteShutdownPrivilege	4968	msiexec.exe
Token: SeUndockPrivilege	4968	msiexec.exe
Token: SeSyncAgentPrivilege	4968	msiexec.exe
Token: SeEnableDelegationPrivilege	4968	msiexec.exe
Token: SeManageVolumePrivilege	4968	msiexec.exe
Token: SeImpersonatePrivilege	4968	msiexec.exe
Token: SeCreateGlobalPrivilege	4968	msiexec.exe
Token: SeBackupPrivilege	4236	vssvc.exe
Token: SeRestorePrivilege	4236	vssvc.exe
Token: SeAuditPrivilege	4236	vssvc.exe
Token: SeBackupPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeTakeOwnershipPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeTakeOwnershipPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeTakeOwnershipPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeTakeOwnershipPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeTakeOwnershipPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeTakeOwnershipPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeTakeOwnershipPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeTakeOwnershipPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeTakeOwnershipPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeTakeOwnershipPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeTakeOwnershipPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeTakeOwnershipPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe
Token: SeTakeOwnershipPrivilege	5028	msiexec.exe
Token: SeRestorePrivilege	5028	msiexec.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
4968	msiexec.exe
4968	msiexec.exe
1976	RExC2EF.exe
868	vlc.exe
868	vlc.exe
868	vlc.exe
868	vlc.exe
868	vlc.exe
868	vlc.exe
868	vlc.exe
868	vlc.exe
868	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
868	vlc.exe
868	vlc.exe
868	vlc.exe
868	vlc.exe
868	vlc.exe
868	vlc.exe
868	vlc.exe
868	vlc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4072	TortoiseGitProc.exe
4072	TortoiseGitProc.exe
868	vlc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 1392	5028	msiexec.exe	96
PID 5028 wrote to memory of 1392	5028	msiexec.exe	96
PID 5028 wrote to memory of 4324	5028	msiexec.exe	98
PID 5028 wrote to memory of 4324	5028	msiexec.exe	98
PID 5028 wrote to memory of 4324	5028	msiexec.exe	98
PID 4968 wrote to memory of 4072	4968	msiexec.exe	101
PID 4968 wrote to memory of 4072	4968	msiexec.exe	101
PID 5028 wrote to memory of 4088	5028	msiexec.exe	102
PID 5028 wrote to memory of 4088	5028	msiexec.exe	102
PID 4088 wrote to memory of 1976	4088	MsiExec.exe	103
PID 4088 wrote to memory of 1976	4088	MsiExec.exe	103

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TortoiseGit-2.14.0.0-64bit.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Program Files\TortoiseGit\bin\TortoiseGitProc.exe
  "C:\Program Files\TortoiseGit\bin\TortoiseGitProc.exe" /command:firststart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4072

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies system executable filetype association
- Blocklisted process makes network request
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1392
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 912AE875AAE0EAFBA1894AA03DE6C340
  2⤵
  - Loads dropped DLL
  PID:4324
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 86BE2978907F56513EE04C6B2DE5BDB0 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\RExC2EF.exe
    "C:\Users\Admin\AppData\Local\Temp\RExC2EF.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:1976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4224

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Program Files\HideExit.ADT"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Program Files\TortoiseGit\bin'
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TortoiseGit\Diff-Scripts\diff-dll.vbs

Filesize
3KB

MD5
abb8f8871af4b4d0cdbae0df5df70692

SHA1
921a8805f47bf2e32a23f4510e7c9bf513c8bd42

SHA256
661ef095b5c632a6421f203cb678f62aa6868976563e7ae312306509bcff4f96

SHA512
94c664aa4f31500e593c3569bec41863a913e1434e0f003723c4bf3f7487371f1ed7d4e40076b7b92f4e75e6b841969409990ff348b088adee07c081e8fd7880

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\diff-doc.js

Filesize
6KB

MD5
9aae354ae3be1302fae0f9ed867b36bf

SHA1
678167b05a490256fa09c688dde1e3bfaa3ccea1

SHA256
bd04b62a765e2f80ad1cbef08cd25a78903819e1dae1c3d556f394e28e7877b5

SHA512
64c09f0dd0337f6beb462f5e3f46c005fcffcc911b2dd1d5405c65a74e4565642e925048b4867e70d0bc64624a7633bfcc9aeffd33d690fec9b0f4725680a84d

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\diff-nb.vbs

Filesize
2KB

MD5
a0985ea2b1611046ad28222b9f85518d

SHA1
4acae43a89fb6c43b5ebadcd05b2b5ef6afb4253

SHA256
75a347426b014895ba0f6db181ad77f9ea94f8b8699ad4072f823d460a7e5ed7

SHA512
1d05de8238f621765431b012e75ec2f69258270021cdee7a84c77ce7862b355f0a619daaf95c026dcd6c9f339ebf72a450372ac38fc9cb2d2dfefb151010399c

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\diff-odt.vbs

Filesize
3KB

MD5
355ec00e12136e70f08ec743ecee977b

SHA1
48f61d618ee780e0fcb9606723076da46094b785

SHA256
6887109cfee016e1cc6437d261470a034eac99fc7c73d986285f838c0656c686

SHA512
a7c2d93526da48b6d4332237b8adcb259c0fb831df48416d1830204c07ed107abf8fef3f734a7a578aa381d9bce66f7107fe00030224467cda35d1a12a1a0fd1

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\diff-ppt.js

Filesize
2KB

MD5
ff9f2b866a9eaf58879c0ec583b89e39

SHA1
f800a5631dadcdb013d3243952c25852c9cd6862

SHA256
aa83e8156a87bfab1018b844cf5f8449c82b9d9a6ffbf02431d67875ca8ae6ac

SHA512
05651d1d6b4c83c78baf45599b63b9755e410fa19e0cd35e14f32604dd8721b1b34d29d8bc3eb8669990fdd396249bb55c04146b5cb896f482bed14e7e474e09

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\diff-sxw.vbs

Filesize
2KB

MD5
8934717fda7f427816b180f2e0b8ad28

SHA1
d171845540ff22c2037f20e4cb0f53a467177bb7

SHA256
197a05dccc2e82697179095598f1dfba73a8d15705218a7627928b1f53f2c3c1

SHA512
3ef8e1c1746ab8e0226d3b81149d9d1f7e40f80d5f98cbdad0d945f11209ef25e8c5be4491e7dfc7653ae2474aad1a69c92ea8b923c4c33ccbf94dbece05c004

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\diff-xls.js

Filesize
9KB

MD5
0943261a7b8750564c2c0af2e4d93edb

SHA1
7871cf7515c126161be09edd395d33bada827419

SHA256
9ad4e170365cc2e1fffa6f7ef59182f642a40d08b9edb2421e57df9d28aa7608

SHA512
711e3c8a062cf5881cdf6411292d3e9ab21380e27a9274d7087016db2269ce75478aa0a28bc6abd2b38008473d9afdcc501d0bc8a0c47b8d8bfb3bbf551095cc

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\merge-doc.js

Filesize
3KB

MD5
a43e6663646067ddc248ec766a36b503

SHA1
81e794ba5abbe86d83370b333ed122b531e8b7e0

SHA256
ee86557d136a1a1d7fd052f741da90d32db7b5ce1e7d08dfb19dd5570228915e

SHA512
5ceb36b9ddcc88607d114922b03b2d4892cb1b36f5e9850b6354bb4ce5d2c6c5111561883fb90dd5462ad10f35137430a102043e5c9acdb553b805f4dc3e9b9b

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\merge-ods.vbs

Filesize
3KB

MD5
83e424e1b559a3257652cf7e3519ad64

SHA1
e44ba7b35ce4c69acf1633e88e4dd43468b2bb19

SHA256
bfcbe021954bd7b886dd746b195d4463586fde7780cef83e618d7c66571ca733

SHA512
4cc3377d0cdc66114ba2278e4f905214e17379df8c5b5b3a5e1fe2754cf666989051b99b9bb53b309da861e07164912ecd566621f444d56fc50d14e6716bf8a0

Download Submit
C:\Program Files\TortoiseGit\bin\MFC140ENU.DLL

Filesize
68KB

MD5
f93cc93c178ee0d0dcec72b6590837b7

SHA1
d850aa17e90eaa85505b01191b9b4012cdf37de6

SHA256
2368b5905df1d205c956ec94594491241c2b83fd0d22928dfbe1ce7b1657abe2

SHA512
623bef9ce6a83a2576cf32e620767ad7dbc8a5c04c48d896b436f60d4a34d56bb44514079afd6f1580018791d486ee5102c329682f9372afa514232a4002f209

Download Submit
C:\Program Files\TortoiseGit\bin\MSVCP140.dll

Filesize
566KB

MD5
0929e46b1020b372956f204f85e48ed6

SHA1
9dc01cf3892406727c8dc7d12ad8855871c9ef09

SHA256
cb3c74d6fcc091f4eb7c67ee5eb5f76c1c973dea8b1c6b851fcca62c2a9d8aa8

SHA512
dd28fca139d316e2cc4d13a6adffb7af6f1a9dc1fc7297976a4d5103fae44de555a951b99f7601590b331f6dbb9bfc592d31980135e3858e265064117012c8d5

Download Submit
C:\Program Files\TortoiseGit\bin\SciLexer_tgit.dll

Filesize
1.8MB

MD5
b893a2d1d2e37a4a384b4fb968b4bc9a

SHA1
53656b0a141b7f702e95b2bb20ef056a49ce9322

SHA256
2cfe03cba6d0d036a63fcb9db7775e0a3e1d928101871119a7e3235147d1e895

SHA512
f8dc598c13efb9c5dc32efff3e2e3d0971cc17ae7e4367f8f10314e724ba4d24e6020ed6914f1bffae3d3a215a83c230fa90df90cbcd300976fd743b1349f7ae

Download Submit
C:\Program Files\TortoiseGit\bin\SciLexer_tgit.dll

Filesize
1.8MB

MD5
b893a2d1d2e37a4a384b4fb968b4bc9a

SHA1
53656b0a141b7f702e95b2bb20ef056a49ce9322

SHA256
2cfe03cba6d0d036a63fcb9db7775e0a3e1d928101871119a7e3235147d1e895

SHA512
f8dc598c13efb9c5dc32efff3e2e3d0971cc17ae7e4367f8f10314e724ba4d24e6020ed6914f1bffae3d3a215a83c230fa90df90cbcd300976fd743b1349f7ae

Download Submit
C:\Program Files\TortoiseGit\bin\TortoiseGit.dll

Filesize
4.3MB

MD5
2863efc5ab961fd65ae59f5df8092977

SHA1
1253958f6fd6704cdd9641d68f9091e0733e2124

SHA256
27ccf8aa950fded4fc4d3e9b861355aeb38877f67d58fa92a3ffc9f76810825b

SHA512
32b31dee57b4b7e615a48163c032ecccbeee9aca381d555d096fc3737ef09d4b4db46f294b9178b4b2f6b698297a898ce459d9f42c950674f34fad8b2d7d64f9

Download Submit
C:\Program Files\TortoiseGit\bin\TortoiseGit.dll

Filesize
4.3MB

MD5
2863efc5ab961fd65ae59f5df8092977

SHA1
1253958f6fd6704cdd9641d68f9091e0733e2124

SHA256
27ccf8aa950fded4fc4d3e9b861355aeb38877f67d58fa92a3ffc9f76810825b

SHA512
32b31dee57b4b7e615a48163c032ecccbeee9aca381d555d096fc3737ef09d4b4db46f294b9178b4b2f6b698297a898ce459d9f42c950674f34fad8b2d7d64f9

Download Submit
C:\Program Files\TortoiseGit\bin\TortoiseGitProc.exe

Filesize
13.0MB

MD5
0aeb946e4b63cf02c5b9298d54dd5119

SHA1
372c990319f325d7c9adcb58b859b4d6397f5f59

SHA256
d3293cbcf17127a6900372853fdc1c662856c7b0a7cc2b34927ceb6c716f6abd

SHA512
884a79295b6d79b7c297f8366e5727e96f9eeacd4268e3e221c3b76e3c39b8d9782f356fa9522e799e52d5ae9c85dcc6be9b12bfc14cc10f39966483eb24a39c

Download Submit
C:\Program Files\TortoiseGit\bin\TortoiseGitStub.dll

Filesize
120KB

MD5
ac6f6f1d67a21b8a436d5d7abcaa2371

SHA1
a8955b01079e0b4c90cb552e3294c86fb5e09875

SHA256
4dd231bd313b388ee7f9ffc18ca30686a14081d3a8bfb224c6a771ad6f5d2c80

SHA512
f1c48c6cd131547561ea802ad60c5883e3c6eda464d8919b882835c5b4c53d0fdc98cafe9a19ea2d4002d78867e24a69dbf42231ae5f868f21e52de334134abc

Download Submit
C:\Program Files\TortoiseGit\bin\TortoiseGitStub.dll

Filesize
120KB

MD5
ac6f6f1d67a21b8a436d5d7abcaa2371

SHA1
a8955b01079e0b4c90cb552e3294c86fb5e09875

SHA256
4dd231bd313b388ee7f9ffc18ca30686a14081d3a8bfb224c6a771ad6f5d2c80

SHA512
f1c48c6cd131547561ea802ad60c5883e3c6eda464d8919b882835c5b4c53d0fdc98cafe9a19ea2d4002d78867e24a69dbf42231ae5f868f21e52de334134abc

Download Submit
C:\Program Files\TortoiseGit\bin\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Program Files\TortoiseGit\bin\VCRUNTIME140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Program Files\TortoiseGit\bin\crshhndl.dll

Filesize
74KB

MD5
970f308b79db8d6817cd6ba044be61c6

SHA1
fd6e31053470e9c0bdd2a589c884f57fd5c2516e

SHA256
bf73ff4bceba976e0c6b3ea4b73d745d1a9713002d2af01a76ab484fd1d157f7

SHA512
c1cb3e62b572124497603029aafe274fc0ae870b6e0639421b7898daa68e64b458bd9f43ea146a2ac8e462a268997c7407c892bfef66f5d5a5be90d5dc8983e6

Download Submit
C:\Program Files\TortoiseGit\bin\crshhndl.dll

Filesize
74KB

MD5
970f308b79db8d6817cd6ba044be61c6

SHA1
fd6e31053470e9c0bdd2a589c884f57fd5c2516e

SHA256
bf73ff4bceba976e0c6b3ea4b73d745d1a9713002d2af01a76ab484fd1d157f7

SHA512
c1cb3e62b572124497603029aafe274fc0ae870b6e0639421b7898daa68e64b458bd9f43ea146a2ac8e462a268997c7407c892bfef66f5d5a5be90d5dc8983e6

Download Submit
C:\Program Files\TortoiseGit\bin\gitdll.dll

Filesize
1.6MB

MD5
aa5db721386141903aac39b50d31befd

SHA1
83dde347cb24a460a0298bfcc6fc61972889fb83

SHA256
d690f254b299db9bbc192f175b0217c7b51bda753fc055260eddf1604fac2bcd

SHA512
eb7a6b09b6b6b442359cc21a8c5c89b0a0483b0b8e2183ca8debd3830c70c1660f50722fc53b9b3c48a92fb832364f7b997c4cfda68e8c9beb19782d027b3dbc

Download Submit
C:\Program Files\TortoiseGit\bin\gitdll.dll

Filesize
1.6MB

MD5
aa5db721386141903aac39b50d31befd

SHA1
83dde347cb24a460a0298bfcc6fc61972889fb83

SHA256
d690f254b299db9bbc192f175b0217c7b51bda753fc055260eddf1604fac2bcd

SHA512
eb7a6b09b6b6b442359cc21a8c5c89b0a0483b0b8e2183ca8debd3830c70c1660f50722fc53b9b3c48a92fb832364f7b997c4cfda68e8c9beb19782d027b3dbc

Download Submit
C:\Program Files\TortoiseGit\bin\gitdll.dll

Filesize
1.6MB

MD5
aa5db721386141903aac39b50d31befd

SHA1
83dde347cb24a460a0298bfcc6fc61972889fb83

SHA256
d690f254b299db9bbc192f175b0217c7b51bda753fc055260eddf1604fac2bcd

SHA512
eb7a6b09b6b6b442359cc21a8c5c89b0a0483b0b8e2183ca8debd3830c70c1660f50722fc53b9b3c48a92fb832364f7b997c4cfda68e8c9beb19782d027b3dbc

Download Submit
C:\Program Files\TortoiseGit\bin\gitdll.dll

Filesize
1.6MB

MD5
aa5db721386141903aac39b50d31befd

SHA1
83dde347cb24a460a0298bfcc6fc61972889fb83

SHA256
d690f254b299db9bbc192f175b0217c7b51bda753fc055260eddf1604fac2bcd

SHA512
eb7a6b09b6b6b442359cc21a8c5c89b0a0483b0b8e2183ca8debd3830c70c1660f50722fc53b9b3c48a92fb832364f7b997c4cfda68e8c9beb19782d027b3dbc

Download Submit
C:\Program Files\TortoiseGit\bin\libgit2_tgit.dll

Filesize
1.7MB

MD5
c1b21bc28b4c7a455da8ac6e86426c0b

SHA1
051a536a50d3cd5a683b0d6b1f95a3a0f6998063

SHA256
c4513a0acf893b35d54f8840f3ca037b5bdd5dc2be9a3a4a9bb61499d1dca543

SHA512
b389e3d1e4e55b8c85c54ed9a9c3bf58fee2450ba3482de6bbe3e6edb67efdb445d4d794687e489b8ca847cb156b8762f77d1d2bb3bb839f83228a56f70e5bf7

Download Submit
C:\Program Files\TortoiseGit\bin\libgit2_tgit.dll

Filesize
1.7MB

MD5
c1b21bc28b4c7a455da8ac6e86426c0b

SHA1
051a536a50d3cd5a683b0d6b1f95a3a0f6998063

SHA256
c4513a0acf893b35d54f8840f3ca037b5bdd5dc2be9a3a4a9bb61499d1dca543

SHA512
b389e3d1e4e55b8c85c54ed9a9c3bf58fee2450ba3482de6bbe3e6edb67efdb445d4d794687e489b8ca847cb156b8762f77d1d2bb3bb839f83228a56f70e5bf7

Download Submit
C:\Program Files\TortoiseGit\bin\libgit2_tgit.dll

Filesize
1.7MB

MD5
c1b21bc28b4c7a455da8ac6e86426c0b

SHA1
051a536a50d3cd5a683b0d6b1f95a3a0f6998063

SHA256
c4513a0acf893b35d54f8840f3ca037b5bdd5dc2be9a3a4a9bb61499d1dca543

SHA512
b389e3d1e4e55b8c85c54ed9a9c3bf58fee2450ba3482de6bbe3e6edb67efdb445d4d794687e489b8ca847cb156b8762f77d1d2bb3bb839f83228a56f70e5bf7

Download Submit
C:\Program Files\TortoiseGit\bin\libgit2_tgit.dll

Filesize
1.7MB

MD5
c1b21bc28b4c7a455da8ac6e86426c0b

SHA1
051a536a50d3cd5a683b0d6b1f95a3a0f6998063

SHA256
c4513a0acf893b35d54f8840f3ca037b5bdd5dc2be9a3a4a9bb61499d1dca543

SHA512
b389e3d1e4e55b8c85c54ed9a9c3bf58fee2450ba3482de6bbe3e6edb67efdb445d4d794687e489b8ca847cb156b8762f77d1d2bb3bb839f83228a56f70e5bf7

Download Submit
C:\Program Files\TortoiseGit\bin\mfc140u.dll

Filesize
5.4MB

MD5
0f3bccc38502c5543c02266e6e62b738

SHA1
4c5eb318eeea2c208e6931178d3cc5b1d59c4e2b

SHA256
bc9eb4f2c8a8e9f1ab4cf67b935bbe13e5fe456faa8b9e1d486ef81c27c4d810

SHA512
de9758b1eae1c2f1375b415b44dc2b8c3b65fafae9aaab53db85341f7c00f9499d9dda9a80a89a3d4fc7f4f7bffd335564863d5a2ea7719d59e13f7d1ee4f87a

Download Submit
C:\Program Files\TortoiseGit\bin\mfc140u.dll

Filesize
5.4MB

MD5
0f3bccc38502c5543c02266e6e62b738

SHA1
4c5eb318eeea2c208e6931178d3cc5b1d59c4e2b

SHA256
bc9eb4f2c8a8e9f1ab4cf67b935bbe13e5fe456faa8b9e1d486ef81c27c4d810

SHA512
de9758b1eae1c2f1375b415b44dc2b8c3b65fafae9aaab53db85341f7c00f9499d9dda9a80a89a3d4fc7f4f7bffd335564863d5a2ea7719d59e13f7d1ee4f87a

Download Submit
C:\Program Files\TortoiseGit\bin\msvcp140.dll

Filesize
566KB

MD5
0929e46b1020b372956f204f85e48ed6

SHA1
9dc01cf3892406727c8dc7d12ad8855871c9ef09

SHA256
cb3c74d6fcc091f4eb7c67ee5eb5f76c1c973dea8b1c6b851fcca62c2a9d8aa8

SHA512
dd28fca139d316e2cc4d13a6adffb7af6f1a9dc1fc7297976a4d5103fae44de555a951b99f7601590b331f6dbb9bfc592d31980135e3858e265064117012c8d5

Download Submit
C:\Program Files\TortoiseGit\bin\msvcp140.dll

Filesize
566KB

MD5
0929e46b1020b372956f204f85e48ed6

SHA1
9dc01cf3892406727c8dc7d12ad8855871c9ef09

SHA256
cb3c74d6fcc091f4eb7c67ee5eb5f76c1c973dea8b1c6b851fcca62c2a9d8aa8

SHA512
dd28fca139d316e2cc4d13a6adffb7af6f1a9dc1fc7297976a4d5103fae44de555a951b99f7601590b331f6dbb9bfc592d31980135e3858e265064117012c8d5

Download Submit
C:\Program Files\TortoiseGit\bin\vcruntime140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Program Files\TortoiseGit\bin\vcruntime140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Program Files\TortoiseGit\bin\vcruntime140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Program Files\TortoiseGit\bin\vcruntime140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Program Files\TortoiseGit\bin\zlib1_tgit.dll

Filesize
102KB

MD5
bd447e47cb1696a87f7e9eb637707b5b

SHA1
55fef10e3ec8ee4a1f27f6d0cf100187edf36e72

SHA256
fdca53a9a4ee1a7a31d91015b9edab449c5787d5e9483c55bb5aeb495f08e325

SHA512
6583560362434713616a03b0028348c452be6fd5244d2c632878e10230ed0505b449d279b633b1ad877480317c6defd97fdca106c0102125603f382410ca4ced

Download Submit
C:\Program Files\TortoiseGit\bin\zlib1_tgit.dll

Filesize
102KB

MD5
bd447e47cb1696a87f7e9eb637707b5b

SHA1
55fef10e3ec8ee4a1f27f6d0cf100187edf36e72

SHA256
fdca53a9a4ee1a7a31d91015b9edab449c5787d5e9483c55bb5aeb495f08e325

SHA512
6583560362434713616a03b0028348c452be6fd5244d2c632878e10230ed0505b449d279b633b1ad877480317c6defd97fdca106c0102125603f382410ca4ced

Download Submit
C:\Program Files\TortoiseGit\bin\zlib1_tgit.dll

Filesize
102KB

MD5
bd447e47cb1696a87f7e9eb637707b5b

SHA1
55fef10e3ec8ee4a1f27f6d0cf100187edf36e72

SHA256
fdca53a9a4ee1a7a31d91015b9edab449c5787d5e9483c55bb5aeb495f08e325

SHA512
6583560362434713616a03b0028348c452be6fd5244d2c632878e10230ed0505b449d279b633b1ad877480317c6defd97fdca106c0102125603f382410ca4ced

Download Submit
C:\Program Files\TortoiseGit\bin\zlib1_tgit.dll

Filesize
102KB

MD5
bd447e47cb1696a87f7e9eb637707b5b

SHA1
55fef10e3ec8ee4a1f27f6d0cf100187edf36e72

SHA256
fdca53a9a4ee1a7a31d91015b9edab449c5787d5e9483c55bb5aeb495f08e325

SHA512
6583560362434713616a03b0028348c452be6fd5244d2c632878e10230ed0505b449d279b633b1ad877480317c6defd97fdca106c0102125603f382410ca4ced

Download Submit
C:\Program Files\TortoiseGit\bin\zlib1_tgit.dll

Filesize
102KB

MD5
bd447e47cb1696a87f7e9eb637707b5b

SHA1
55fef10e3ec8ee4a1f27f6d0cf100187edf36e72

SHA256
fdca53a9a4ee1a7a31d91015b9edab449c5787d5e9483c55bb5aeb495f08e325

SHA512
6583560362434713616a03b0028348c452be6fd5244d2c632878e10230ed0505b449d279b633b1ad877480317c6defd97fdca106c0102125603f382410ca4ced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E4160FB650E5091C535216313A4ECD3_20C3F4F7FED3CB1A59B8C17661A3E75C

Filesize
2KB

MD5
89ab8652fdbf1723258a0b6ba4bee911

SHA1
c6a9f80d09d2c2070e19b830436343b895f2f234

SHA256
603098f18185de92923403ba3445117dce3fba652b236cc339a05d6e3d09a3f8

SHA512
252a66362c8ec54460f0965c65d8755dcc75a895a88a53d80935915b0cc926139441076176037663d18bf9b1ea7e37a75f00f87136139be4344c49c12a9414b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E4160FB650E5091C535216313A4ECD3_20C3F4F7FED3CB1A59B8C17661A3E75C

Filesize
416B

MD5
94588a7ec2b3cee2aa44a343869c38ad

SHA1
95b92b94cd539ccc6774d048c75c6898d40fa920

SHA256
8714af59125819cc99624faced0e5e6436718bba0c48f9335b1cf83e580a8fce

SHA512
34f62060fff1fc6b205133cee74aeab26b93619ae51c7abe29cdf945b03a5bf13a484cc7e2f593aff2e53de9fe988a8b488daa925db9773c83196f69355dbe88

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8D19.tmp

Filesize
230KB

MD5
8ff25cf00be5be641fc5a561dc956367

SHA1
c69568aa0689163a43b15d42191b66cd81450d73

SHA256
7c466b50cd1e37ce8c6189935a5586f41514ec810899e2cdb528c79e38d7c96d

SHA512
d68ea4ac1f01c72277342e2ec004223633e6c17400d11b3b9721bb8f1059d0cba6b7fb899d9d7f6c23f9ec4efa4f7b668b47aba8b759b01c1532eb1ebda49e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8D19.tmp

Filesize
230KB

MD5
8ff25cf00be5be641fc5a561dc956367

SHA1
c69568aa0689163a43b15d42191b66cd81450d73

SHA256
7c466b50cd1e37ce8c6189935a5586f41514ec810899e2cdb528c79e38d7c96d

SHA512
d68ea4ac1f01c72277342e2ec004223633e6c17400d11b3b9721bb8f1059d0cba6b7fb899d9d7f6c23f9ec4efa4f7b668b47aba8b759b01c1532eb1ebda49e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\RExC2EF.exe

Filesize
134KB

MD5
12b850bd89182666af38b662a0d8902b

SHA1
1b1844de46a3f1362187399368c18ee6a66e5ed6

SHA256
328f7b7d468e7ba1defa7ad8a77adb7ef307ff9f23da8e86683db2ffcfb8f36f

SHA512
163311b99d5e99b1c90ba736c9b248a9ab2fbfcb6178d401923dbd6016c00642fd61aa47202f33928d2a0c7d79afcda4f63b613e6531ae5cdcfcc0ec1c07c2bf

Download Submit
C:\Windows\Installer\MSI39DE.tmp

Filesize
233KB

MD5
69ce0f47a489fc5ed1980b43bf0eb0e6

SHA1
3f6d8ceece019812d43a0de767fc7bd72f2ce241

SHA256
b29b65905905f7d9279737fad9ee4dbfb9375109ec03c0db2d96e11b031e9a70

SHA512
ade5af5a8ca4716eb651d7de0f9bfd9c2f155884a022312fa808439f56b55ac5375dda3b4cd2dcf9af105d99cdc991e74250246f7c600a13b80507859bf43bb7

Download Submit
C:\Windows\Installer\MSI39DE.tmp

Filesize
233KB

MD5
69ce0f47a489fc5ed1980b43bf0eb0e6

SHA1
3f6d8ceece019812d43a0de767fc7bd72f2ce241

SHA256
b29b65905905f7d9279737fad9ee4dbfb9375109ec03c0db2d96e11b031e9a70

SHA512
ade5af5a8ca4716eb651d7de0f9bfd9c2f155884a022312fa808439f56b55ac5375dda3b4cd2dcf9af105d99cdc991e74250246f7c600a13b80507859bf43bb7

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
d20c1b6af9b19ba62b304b1d94e68b7c

SHA1
eec89ba5c262af0bfd8716f454b830343a330ce8

SHA256
844baa75299d9d9623a3b02953a95708dbb317fe7314078a99124709fb72c093

SHA512
ec6d7b72c5f85f6da91aa70b8cde3c2d463859943a72c53fb51797b525bd5eedf43a5dd52c83d9cdf91788dd9d1b4a03c1bbf2bbfa4f9f80ede53e7e96ace7ca

Download Submit
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{19716090-b9c6-4ce2-a98f-6ae1390efcc9}_OnDiskSnapshotProp

Filesize
5KB

MD5
bbceb83e365982a4eeabebdd40eae4c6

SHA1
5387efe1bc253c1e3ad805d3ca01e061939b33f0

SHA256
9c02bce5c3b7f48c9d5902696b419437eafe4042aa49dca8591a1573975f20e1

SHA512
4f48574403be6656ce00f6977f679c6b7b01378d4e383a14dc4a3cb1dd955f71f30b8a2c7a6026c633e7d65a22f0a677e67152ba21daa4477e8a410f1549348e

Download Submit
memory/844-191-0x00000232DC2A0000-0x00000232DC2C2000-memory.dmp

Filesize
136KB

Download
memory/844-192-0x00000232DC780000-0x00000232DC7C4000-memory.dmp

Filesize
272KB

Download
memory/844-194-0x00007FFEAFE00000-0x00007FFEB08C1000-memory.dmp

Filesize
10.8MB

Download
memory/844-193-0x00000232DC850000-0x00000232DC8C6000-memory.dmp

Filesize
472KB

Download
memory/844-195-0x00007FFEAFE00000-0x00007FFEB08C1000-memory.dmp

Filesize
10.8MB

Download
memory/4072-159-0x00007FF7A2720000-0x00007FF7A342C000-memory.dmp

Filesize
13.0MB

Download