df07f0f3d9888fd153d5d08f4a8ccb1ba4f2553316d78e101c1800bc42f9ad0c

Resubmissions

12/02/2023, 12:07

230212-paay5sdg59 10

12/02/2023, 11:53

230212-n2lz2sdf89 10

Analysis

max time kernel
1232s
max time network
1252s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2023, 12:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TortoiseGit-2.14.0.0-64bit.msi
Size

21.6MB
MD5

ca36bf3998301057ab7f4f64a84085f5
SHA1

66353468825a754f384f9c1bd3e34b37bd9071f7
SHA256

df07f0f3d9888fd153d5d08f4a8ccb1ba4f2553316d78e101c1800bc42f9ad0c
SHA512

87ad935e1329a0e6076b3a58e27e149b08adbc516328ecbe47707d41601af9b0277a8a591a5fee723d3d9e9778e123e6434f23d1a930b12d5f10519df6f23636
SSDEEP

393216:348DJa1Zmo8Swa0evzN0eAUAyzziv7asm7sf7SG8aQASSV7e9Jdmq6sbNyPDN:348Vkmz4zN0KA1TgcqarSSV7e4bB

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\lnkfile\shellex\ContextMenuHandlers\TortoiseGit	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TortoiseGit\ = "{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}"	msiexec.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
6	4788	msiexec.exe
7	4788	msiexec.exe
16	4788	msiexec.exe
18	4788	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
5028	RExD01D.exe

Loads dropped DLL 17 IoCs

pid	Process
2176	MsiExec.exe
3092	MsiExec.exe
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found
2932	Process not Found

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9642A3D3-7425-49F6-8F75-6A001F716AED}\LocalServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\GitWCRevCOM.exe /automation"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B94B098-57C6-4C39-9DC5-8EB00E423D3E}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A38915E4-A460-4143-8D6B-0B45564C6A00}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4E453CBA-2AAB-465C-A01E-627A7BE9ED73}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E453CBA-2AAB-465C-A01E-627A7BE9ED73}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1B94B098-57C6-4C39-9DC5-8EB00E423D3E}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E453CBA-2AAB-465C-A01E-627A7BE9ED73}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9642A3D3-7425-49F6-8F75-6A001F716AED}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{9642A3D3-7425-49F6-8F75-6A001F716AED}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B94B098-57C6-4C39-9DC5-8EB00E423D3E}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\BlipClean\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Modern\ReadOnlyIcon.ico	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TortoiseOverlays\icons\XPStyle\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\apr License.txt	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Blip\UnversionedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesVista\IgnoredIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Function\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Subclipse\LockedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-crt-conio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Win10\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\XPStyle\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\package.msix	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesVista\UnversionedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Illustration\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\mfc140rus.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Modern\UnversionedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\mfc140kor.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\TortoiseGitBlame.exe	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\XPStyle\UnversionedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-core-debug-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\vccorlib140.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\XPStyle\IgnoredIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Flat\LockedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\gitdll32.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Professional\AddedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Win10\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\XPStyle\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\sshaskpass.exe	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Flat\UnversionedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Ribbon\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesVista\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesXP\LockedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\Languages\en_GB.dic	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Function\NormalIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Straight\UnversionedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Flat\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\mfc140u.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Professional\LockedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-crt-utility-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\XPStyle\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\BlipClean\LockedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Illustration\ReadOnlyIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-core-processthreads-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-crt-multibyte-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesXP\AddedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Modern\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Straight\NormalIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\BlipClean\NormalIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\CVSClassic\AddedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\CVSClassic\NormalIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesVista\ReadOnlyIcon.ico	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TortoiseOverlays\icons\XPStyle\LockedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\SciLexer_tgit.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Win10\IgnoredIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Illustration\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\mfc140ita.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\notepad2.exe	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Professional\UnversionedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Illustration\NormalIcon.ico	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{BD164598-BAEE-485E-B56F-6578A8C4C6CE}\TGITIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{BD164598-BAEE-485E-B56F-6578A8C4C6CE}\TGITIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\e6596dd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{BD164598-BAEE-485E-B56F-6578A8C4C6CE}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9FD7.tmp	msiexec.exe
File created	C:\Windows\Installer\e6596df.msi	msiexec.exe
File created	C:\Windows\Installer\e6596dd.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI98D1.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000045e03923b2b2bc3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000045e039230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090045e03923000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\TortoiseGit\ = "{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2E334DC-2799-4961-9FCC-C324CB5FD205}\1.0\0\win32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryLocation\ShellEx\ContextMenuHandlers\TortoiseGit\ = "{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\GitWCRev.object.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\github-windows	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\ = "TortoiseGit"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GitWCRev.object\CurVer\ = "GitWCRev.object.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}\ = "TortoiseSVN"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\TortoiseGit	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\TortoiseGit\ = "{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TortoiseGit\ = "{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TortoiseGit.UrlHandler\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.patch\OpenWithProgids	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E453CBA-2AAB-465C-A01E-627A7BE9ED73}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9642A3D3-7425-49F6-8F75-6A001F716AED}\ProgID\ = "GitWCRev.object.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\PropertySheetHandlers\TortoiseGit\ = "{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2E334DC-2799-4961-9FCC-C324CB5FD205}\1.0\HELPDIR\ = "C:\\Program Files\\TortoiseGit\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.patch\PerceivedType = "text"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\ = "TortoiseSVN"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}\ = "TortoiseSVN"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tortoisegit.patch.document\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F2E334DC-2799-4961-9FCC-C324CB5FD205}\1.0\0\win32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9642A3D3-7425-49F6-8F75-6A001F716AED}\LocalServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\GitWCRevCOM.exe /automation"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GitWCRev.object\CLSID\ = "{9642A3D3-7425-49F6-8F75-6A001F716AED}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\GitWCRev.object.1\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\lnkfile\shellex\ContextMenuHandlers\TortoiseGit	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TortoiseGit.UrlHandler	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4E453CBA-2AAB-465C-A01E-627A7BE9ED73}\ = "TortoiseGit"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\TortoiseGitProc.exe\NoOpenWith	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F2E334DC-2799-4961-9FCC-C324CB5FD205}\1.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}\ = "TortoiseSVN"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TortoiseGit.GitUrlHandler\shell\open\command\ = "\"C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitProc.exe\" /command:clone /url:\"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{41886E22-73C4-49E8-8831-37F79CED16FE}	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2508	msiexec.exe
2508	msiexec.exe
3548	PowerShell.exe
3548	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4788	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4788	msiexec.exe
Token: SeSecurityPrivilege	2508	msiexec.exe
Token: SeCreateTokenPrivilege	4788	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4788	msiexec.exe
Token: SeLockMemoryPrivilege	4788	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4788	msiexec.exe
Token: SeMachineAccountPrivilege	4788	msiexec.exe
Token: SeTcbPrivilege	4788	msiexec.exe
Token: SeSecurityPrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeLoadDriverPrivilege	4788	msiexec.exe
Token: SeSystemProfilePrivilege	4788	msiexec.exe
Token: SeSystemtimePrivilege	4788	msiexec.exe
Token: SeProfSingleProcessPrivilege	4788	msiexec.exe
Token: SeIncBasePriorityPrivilege	4788	msiexec.exe
Token: SeCreatePagefilePrivilege	4788	msiexec.exe
Token: SeCreatePermanentPrivilege	4788	msiexec.exe
Token: SeBackupPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeShutdownPrivilege	4788	msiexec.exe
Token: SeDebugPrivilege	4788	msiexec.exe
Token: SeAuditPrivilege	4788	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4788	msiexec.exe
Token: SeChangeNotifyPrivilege	4788	msiexec.exe
Token: SeRemoteShutdownPrivilege	4788	msiexec.exe
Token: SeUndockPrivilege	4788	msiexec.exe
Token: SeSyncAgentPrivilege	4788	msiexec.exe
Token: SeEnableDelegationPrivilege	4788	msiexec.exe
Token: SeManageVolumePrivilege	4788	msiexec.exe
Token: SeImpersonatePrivilege	4788	msiexec.exe
Token: SeCreateGlobalPrivilege	4788	msiexec.exe
Token: SeBackupPrivilege	2892	vssvc.exe
Token: SeRestorePrivilege	2892	vssvc.exe
Token: SeAuditPrivilege	2892	vssvc.exe
Token: SeBackupPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4788	msiexec.exe
4788	msiexec.exe
5028	RExD01D.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 3192	2508	msiexec.exe	97
PID 2508 wrote to memory of 3192	2508	msiexec.exe	97
PID 2508 wrote to memory of 2176	2508	msiexec.exe	99
PID 2508 wrote to memory of 2176	2508	msiexec.exe	99
PID 2508 wrote to memory of 2176	2508	msiexec.exe	99
PID 2508 wrote to memory of 3092	2508	msiexec.exe	102
PID 2508 wrote to memory of 3092	2508	msiexec.exe	102
PID 3092 wrote to memory of 5028	3092	MsiExec.exe	103
PID 3092 wrote to memory of 5028	3092	MsiExec.exe	103

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TortoiseGit-2.14.0.0-64bit.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4788

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3192
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 21885ADF089F37936CE66F6CA4E9E2FA
  2⤵
  - Loads dropped DLL
  PID:2176
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding C0E062CED6DD5AC182F79437B5221DC2 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\RExD01D.exe
    "C:\Users\Admin\AppData\Local\Temp\RExD01D.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:5028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4880

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Program Files\TortoiseGit\bin'
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TortoiseGit\bin\TortoiseGit.dll

Filesize
4.3MB

MD5
2863efc5ab961fd65ae59f5df8092977

SHA1
1253958f6fd6704cdd9641d68f9091e0733e2124

SHA256
27ccf8aa950fded4fc4d3e9b861355aeb38877f67d58fa92a3ffc9f76810825b

SHA512
32b31dee57b4b7e615a48163c032ecccbeee9aca381d555d096fc3737ef09d4b4db46f294b9178b4b2f6b698297a898ce459d9f42c950674f34fad8b2d7d64f9

Download Submit
C:\Program Files\TortoiseGit\bin\TortoiseGit.dll

Filesize
4.3MB

MD5
2863efc5ab961fd65ae59f5df8092977

SHA1
1253958f6fd6704cdd9641d68f9091e0733e2124

SHA256
27ccf8aa950fded4fc4d3e9b861355aeb38877f67d58fa92a3ffc9f76810825b

SHA512
32b31dee57b4b7e615a48163c032ecccbeee9aca381d555d096fc3737ef09d4b4db46f294b9178b4b2f6b698297a898ce459d9f42c950674f34fad8b2d7d64f9

Download Submit
C:\Program Files\TortoiseGit\bin\TortoiseGitProc.exe

Filesize
13.0MB

MD5
0aeb946e4b63cf02c5b9298d54dd5119

SHA1
372c990319f325d7c9adcb58b859b4d6397f5f59

SHA256
d3293cbcf17127a6900372853fdc1c662856c7b0a7cc2b34927ceb6c716f6abd

SHA512
884a79295b6d79b7c297f8366e5727e96f9eeacd4268e3e221c3b76e3c39b8d9782f356fa9522e799e52d5ae9c85dcc6be9b12bfc14cc10f39966483eb24a39c

Download Submit
C:\Program Files\TortoiseGit\bin\TortoiseGitStub.dll

Filesize
120KB

MD5
ac6f6f1d67a21b8a436d5d7abcaa2371

SHA1
a8955b01079e0b4c90cb552e3294c86fb5e09875

SHA256
4dd231bd313b388ee7f9ffc18ca30686a14081d3a8bfb224c6a771ad6f5d2c80

SHA512
f1c48c6cd131547561ea802ad60c5883e3c6eda464d8919b882835c5b4c53d0fdc98cafe9a19ea2d4002d78867e24a69dbf42231ae5f868f21e52de334134abc

Download Submit
C:\Program Files\TortoiseGit\bin\TortoiseGitStub.dll

Filesize
120KB

MD5
ac6f6f1d67a21b8a436d5d7abcaa2371

SHA1
a8955b01079e0b4c90cb552e3294c86fb5e09875

SHA256
4dd231bd313b388ee7f9ffc18ca30686a14081d3a8bfb224c6a771ad6f5d2c80

SHA512
f1c48c6cd131547561ea802ad60c5883e3c6eda464d8919b882835c5b4c53d0fdc98cafe9a19ea2d4002d78867e24a69dbf42231ae5f868f21e52de334134abc

Download Submit
C:\Program Files\TortoiseGit\bin\gitdll.dll

Filesize
1.6MB

MD5
aa5db721386141903aac39b50d31befd

SHA1
83dde347cb24a460a0298bfcc6fc61972889fb83

SHA256
d690f254b299db9bbc192f175b0217c7b51bda753fc055260eddf1604fac2bcd

SHA512
eb7a6b09b6b6b442359cc21a8c5c89b0a0483b0b8e2183ca8debd3830c70c1660f50722fc53b9b3c48a92fb832364f7b997c4cfda68e8c9beb19782d027b3dbc

Download Submit
C:\Program Files\TortoiseGit\bin\gitdll.dll

Filesize
1.6MB

MD5
aa5db721386141903aac39b50d31befd

SHA1
83dde347cb24a460a0298bfcc6fc61972889fb83

SHA256
d690f254b299db9bbc192f175b0217c7b51bda753fc055260eddf1604fac2bcd

SHA512
eb7a6b09b6b6b442359cc21a8c5c89b0a0483b0b8e2183ca8debd3830c70c1660f50722fc53b9b3c48a92fb832364f7b997c4cfda68e8c9beb19782d027b3dbc

Download Submit
C:\Program Files\TortoiseGit\bin\libgit2_tgit.dll

Filesize
1.7MB

MD5
c1b21bc28b4c7a455da8ac6e86426c0b

SHA1
051a536a50d3cd5a683b0d6b1f95a3a0f6998063

SHA256
c4513a0acf893b35d54f8840f3ca037b5bdd5dc2be9a3a4a9bb61499d1dca543

SHA512
b389e3d1e4e55b8c85c54ed9a9c3bf58fee2450ba3482de6bbe3e6edb67efdb445d4d794687e489b8ca847cb156b8762f77d1d2bb3bb839f83228a56f70e5bf7

Download Submit
C:\Program Files\TortoiseGit\bin\libgit2_tgit.dll

Filesize
1.7MB

MD5
c1b21bc28b4c7a455da8ac6e86426c0b

SHA1
051a536a50d3cd5a683b0d6b1f95a3a0f6998063

SHA256
c4513a0acf893b35d54f8840f3ca037b5bdd5dc2be9a3a4a9bb61499d1dca543

SHA512
b389e3d1e4e55b8c85c54ed9a9c3bf58fee2450ba3482de6bbe3e6edb67efdb445d4d794687e489b8ca847cb156b8762f77d1d2bb3bb839f83228a56f70e5bf7

Download Submit
C:\Program Files\TortoiseGit\bin\msvcp140.dll

Filesize
566KB

MD5
0929e46b1020b372956f204f85e48ed6

SHA1
9dc01cf3892406727c8dc7d12ad8855871c9ef09

SHA256
cb3c74d6fcc091f4eb7c67ee5eb5f76c1c973dea8b1c6b851fcca62c2a9d8aa8

SHA512
dd28fca139d316e2cc4d13a6adffb7af6f1a9dc1fc7297976a4d5103fae44de555a951b99f7601590b331f6dbb9bfc592d31980135e3858e265064117012c8d5

Download Submit
C:\Program Files\TortoiseGit\bin\vcruntime140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Program Files\TortoiseGit\bin\vcruntime140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Program Files\TortoiseGit\bin\vcruntime140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Program Files\TortoiseGit\bin\zlib1_tgit.dll

Filesize
102KB

MD5
bd447e47cb1696a87f7e9eb637707b5b

SHA1
55fef10e3ec8ee4a1f27f6d0cf100187edf36e72

SHA256
fdca53a9a4ee1a7a31d91015b9edab449c5787d5e9483c55bb5aeb495f08e325

SHA512
6583560362434713616a03b0028348c452be6fd5244d2c632878e10230ed0505b449d279b633b1ad877480317c6defd97fdca106c0102125603f382410ca4ced

Download Submit
C:\Program Files\TortoiseGit\bin\zlib1_tgit.dll

Filesize
102KB

MD5
bd447e47cb1696a87f7e9eb637707b5b

SHA1
55fef10e3ec8ee4a1f27f6d0cf100187edf36e72

SHA256
fdca53a9a4ee1a7a31d91015b9edab449c5787d5e9483c55bb5aeb495f08e325

SHA512
6583560362434713616a03b0028348c452be6fd5244d2c632878e10230ed0505b449d279b633b1ad877480317c6defd97fdca106c0102125603f382410ca4ced

Download Submit
C:\Program Files\TortoiseGit\bin\zlib1_tgit.dll

Filesize
102KB

MD5
bd447e47cb1696a87f7e9eb637707b5b

SHA1
55fef10e3ec8ee4a1f27f6d0cf100187edf36e72

SHA256
fdca53a9a4ee1a7a31d91015b9edab449c5787d5e9483c55bb5aeb495f08e325

SHA512
6583560362434713616a03b0028348c452be6fd5244d2c632878e10230ed0505b449d279b633b1ad877480317c6defd97fdca106c0102125603f382410ca4ced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4

Filesize
1KB

MD5
bf37c510fe4bc4db65c434dcc404675e

SHA1
779362df8a840b7b976a657257a71bfa32a2a374

SHA256
48314ff856045c8101348eff14be1c24e8c454e25f4727a6513febc00c70f012

SHA512
0f887ab2c1c72684e798d8b55547f631779a4514ea1d3228f69081f7e0c47eefd6878d5b1053faf120973db39892c4db46efe99e97d15a4343b5a5cc3b8a1a6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E4160FB650E5091C535216313A4ECD3_20C3F4F7FED3CB1A59B8C17661A3E75C

Filesize
2KB

MD5
89ab8652fdbf1723258a0b6ba4bee911

SHA1
c6a9f80d09d2c2070e19b830436343b895f2f234

SHA256
603098f18185de92923403ba3445117dce3fba652b236cc339a05d6e3d09a3f8

SHA512
252a66362c8ec54460f0965c65d8755dcc75a895a88a53d80935915b0cc926139441076176037663d18bf9b1ea7e37a75f00f87136139be4344c49c12a9414b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4

Filesize
412B

MD5
a3e67a28c753d5ec206c13f3de4e033a

SHA1
a28fc159bb180ef442dd1368baf803233933e2eb

SHA256
8f53693ab00d2274619e761a731ed0abe7d983fe99e94f61f7e7390244ad4b96

SHA512
af0c883068220380a5df17bc6c92b8a0994c61a3bb69198a50f58b2c4228d10dab332adee5ebe361c4b7cc6bb42db94cd0cebd20aa63580615595d8b6d7e058a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E4160FB650E5091C535216313A4ECD3_20C3F4F7FED3CB1A59B8C17661A3E75C

Filesize
416B

MD5
0e5bbe88856244a703f0fc358a0718ae

SHA1
27bc3dcc3e61cfadf2f968c38174d4221c2d657d

SHA256
5b35b05f5b19bdfc90b43dcd6aa6ebf587eb0ebe9e2ae6ad045af32f6fd1e77f

SHA512
ce3d79fea333f058ea9f828eb72ff476e4872b2ff40afcb99e6d987d581ef0b4bf111649c7516e3f07af6c1d082453f2f8128095f4fd63c0dd3bd571cf136bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICFBF.tmp

Filesize
230KB

MD5
8ff25cf00be5be641fc5a561dc956367

SHA1
c69568aa0689163a43b15d42191b66cd81450d73

SHA256
7c466b50cd1e37ce8c6189935a5586f41514ec810899e2cdb528c79e38d7c96d

SHA512
d68ea4ac1f01c72277342e2ec004223633e6c17400d11b3b9721bb8f1059d0cba6b7fb899d9d7f6c23f9ec4efa4f7b668b47aba8b759b01c1532eb1ebda49e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICFBF.tmp

Filesize
230KB

MD5
8ff25cf00be5be641fc5a561dc956367

SHA1
c69568aa0689163a43b15d42191b66cd81450d73

SHA256
7c466b50cd1e37ce8c6189935a5586f41514ec810899e2cdb528c79e38d7c96d

SHA512
d68ea4ac1f01c72277342e2ec004223633e6c17400d11b3b9721bb8f1059d0cba6b7fb899d9d7f6c23f9ec4efa4f7b668b47aba8b759b01c1532eb1ebda49e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\RExD01D.exe

Filesize
134KB

MD5
12b850bd89182666af38b662a0d8902b

SHA1
1b1844de46a3f1362187399368c18ee6a66e5ed6

SHA256
328f7b7d468e7ba1defa7ad8a77adb7ef307ff9f23da8e86683db2ffcfb8f36f

SHA512
163311b99d5e99b1c90ba736c9b248a9ab2fbfcb6178d401923dbd6016c00642fd61aa47202f33928d2a0c7d79afcda4f63b613e6531ae5cdcfcc0ec1c07c2bf

Download Submit
C:\Windows\Installer\MSI98D1.tmp

Filesize
233KB

MD5
69ce0f47a489fc5ed1980b43bf0eb0e6

SHA1
3f6d8ceece019812d43a0de767fc7bd72f2ce241

SHA256
b29b65905905f7d9279737fad9ee4dbfb9375109ec03c0db2d96e11b031e9a70

SHA512
ade5af5a8ca4716eb651d7de0f9bfd9c2f155884a022312fa808439f56b55ac5375dda3b4cd2dcf9af105d99cdc991e74250246f7c600a13b80507859bf43bb7

Download Submit
C:\Windows\Installer\MSI98D1.tmp

Filesize
233KB

MD5
69ce0f47a489fc5ed1980b43bf0eb0e6

SHA1
3f6d8ceece019812d43a0de767fc7bd72f2ce241

SHA256
b29b65905905f7d9279737fad9ee4dbfb9375109ec03c0db2d96e11b031e9a70

SHA512
ade5af5a8ca4716eb651d7de0f9bfd9c2f155884a022312fa808439f56b55ac5375dda3b4cd2dcf9af105d99cdc991e74250246f7c600a13b80507859bf43bb7

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
11.8MB

MD5
6096f6d03c28971196446c61efbba231

SHA1
0ab65e527566c63ab13042a2ee9c359ea43028e7

SHA256
ec7bd2f5d10a6781366621139a5cc10f80ad1209efa38725999396dfdd79c993

SHA512
d5aa8fc3de57239cdeb966be2f3f011dbc9cb668b713b329896729233f070f3616a30f9d839cd3a4b1b1d5494e1de84a70cf3a21602dde7362c21b7a3b9ae8e9

Download Submit
\??\Volume{2339e045-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5cb294a4-cf3b-4175-8ebc-ed05aa2f8a4c}_OnDiskSnapshotProp

Filesize
5KB

MD5
07f94d76e0aa6047c5595c3e0c0288b1

SHA1
d9f5ed649902914f34a94cbb4351e346c25c9769

SHA256
87560608f81aa0f10b82afb586ade713e4f4f14c42f9ce0be05d2cfba8a5be00

SHA512
3a4fe992d0a9a8115cb705517dd5be47ac0028066e9e5b73b12a6c81c207e10103cd66e97dbb60c4fdddd33fb405994bd29a7cd0fb873a6266f51583f6774902

Download Submit
memory/3548-162-0x00000215D8060000-0x00000215D8082000-memory.dmp

Filesize
136KB

Download
memory/3548-163-0x00000215D8520000-0x00000215D8564000-memory.dmp

Filesize
272KB

Download
memory/3548-164-0x00007FF83B590000-0x00007FF83C051000-memory.dmp

Filesize
10.8MB

Download
memory/3548-165-0x00000215D85F0000-0x00000215D8666000-memory.dmp

Filesize
472KB

Download
memory/3548-166-0x00007FF83B590000-0x00007FF83C051000-memory.dmp

Filesize
10.8MB

Download
memory/3548-167-0x00000215D84F0000-0x00000215D850E000-memory.dmp

Filesize
120KB

Download