df07f0f3d9888fd153d5d08f4a8ccb1ba4f2553316d78e101c1800bc42f9ad0c

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-04-2023 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TortoiseGit-2.14.0.0-64bit.msi
Size

21.6MB
MD5

ca36bf3998301057ab7f4f64a84085f5
SHA1

66353468825a754f384f9c1bd3e34b37bd9071f7
SHA256

df07f0f3d9888fd153d5d08f4a8ccb1ba4f2553316d78e101c1800bc42f9ad0c
SHA512

87ad935e1329a0e6076b3a58e27e149b08adbc516328ecbe47707d41601af9b0277a8a591a5fee723d3d9e9778e123e6434f23d1a930b12d5f10519df6f23636
SSDEEP

393216:348DJa1Zmo8Swa0evzN0eAUAyzziv7asm7sf7SG8aQASSV7e9Jdmq6sbNyPDN:348Vkmz4zN0KA1TgcqarSSV7e4bB

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
9	4960	msiexec.exe
11	4960	msiexec.exe
13	4960	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
840	TortoiseGitProc.exe
4440	REx944C.exe

Loads dropped DLL 11 IoCs

pid	Process
544	MsiExec.exe
5116	MsiExec.exe
840	TortoiseGitProc.exe
840	TortoiseGitProc.exe
840	TortoiseGitProc.exe
840	TortoiseGitProc.exe
840	TortoiseGitProc.exe
840	TortoiseGitProc.exe
840	TortoiseGitProc.exe
840	TortoiseGitProc.exe
840	TortoiseGitProc.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\lnkfile\shellex\ContextMenuHandlers\TortoiseGit	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TortoiseGit\ = "{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}"	msiexec.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{9642A3D3-7425-49F6-8F75-6A001F716AED}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E453CBA-2AAB-465C-A01E-627A7BE9ED73}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A38915E4-A460-4143-8D6B-0B45564C6A00}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4E453CBA-2AAB-465C-A01E-627A7BE9ED73}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E453CBA-2AAB-465C-A01E-627A7BE9ED73}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B94B098-57C6-4C39-9DC5-8EB00E423D3E}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9642A3D3-7425-49F6-8F75-6A001F716AED}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A38915E4-A460-4143-8D6B-0B45564C6A00}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A38915E4-A460-4143-8D6B-0B45564C6A00}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B94B098-57C6-4C39-9DC5-8EB00E423D3E}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9642A3D3-7425-49F6-8F75-6A001F716AED}\LocalServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\GitWCRevCOM.exe /automation"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{475A024D-6157-4E03-8C61-D1FA9806415C}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A38915E4-A460-4143-8D6B-0B45564C6A00}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\TortoiseGit\bin\SciLexer_tgit.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Straight\LockedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Win10\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\Changelog-pre2.0.txt	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Function\IgnoredIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Professional\IgnoredIcon.ico	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TortoiseOverlays\icons\XPStyle\IgnoredIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Illustration\AddedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\mfc140enu.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Straight\ReadOnlyIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\msvcp140_2.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Straight\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Blip\NormalIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Illustration\NormalIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Modern\LockedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Modern\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\crshhndl.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesVista\LockedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\mfc140fra.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Win10\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Blip\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\License.txt	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\TGitCache.exe	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\MufWin7\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\TortoiseGitProc.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TortoiseOverlays\icons\XPStyle\ReadOnlyIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Function\AddedIcon.ico	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TortoiseOverlays\License.txt	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Straight\UnversionedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-core-processthreads-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Win10\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\sshaskpass.exe	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\CVSClassic\NormalIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesXP\NormalIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\libgit2_tgit.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Subclipse\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TortoiseOverlays\icons\XPStyle\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesXP\AddedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\Languages\en_GB.aff	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Professional\AddedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Ribbon\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-core-interlocked-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\TortoiseGitUDiff.exe	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\XPStyle\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\CVSClassic\AddedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesXP\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\mfc140cht.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\vcruntime140.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Ribbon\AddedIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Subclipse\NormalIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Win10\NormalIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\Diff-Scripts\diff-dll.vbs	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Illustration\ConflictIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\mfc140kor.dll	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\api-ms-win-crt-conio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\TortoiseOverlays\icons\XPStyle\NormalIcon.ico	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\DechenesVista\ModifiedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\pageant.exe	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\TortoiseGitStub.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll	msiexec.exe
File created	C:\Program Files\Common Files\TortoiseOverlays\icons\Straight\DeletedIcon.ico	msiexec.exe
File created	C:\Program Files\TortoiseGit\bin\autolist.txt	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C2.tmp	msiexec.exe
File created	C:\Windows\Installer\{BD164598-BAEE-485E-B56F-6578A8C4C6CE}\TGITIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{BD164598-BAEE-485E-B56F-6578A8C4C6CE}\TGITIcon	msiexec.exe
File created	C:\Windows\Installer\e57f8c9.msi	msiexec.exe
File created	C:\Windows\Installer\e57f8c7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f8c7.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBA6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{BD164598-BAEE-485E-B56F-6578A8C4C6CE}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a8dca56a4fb650f70000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a8dca56a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a8dca56a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B94B098-57C6-4C39-9DC5-8EB00E423D3E}\ = "TortoiseGit"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E453CBA-2AAB-465C-A01E-627A7BE9ED73}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A38915E4-A460-4143-8D6B-0B45564C6A00}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\895461DBEEABE5845BF656878A4C6CEC\ProductName = "TortoiseGit 2.14.0.0 (64 bit)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\895461DBEEABE5845BF656878A4C6CEC\PackageCode = "A0B8CC326DAA3A345A872CE44174A017"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\TortoiseGit	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{41886E22-73C4-49E8-8831-37F79CED16FE}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41886E22-73C4-49E8-8831-37F79CED16FE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\github-windows	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\github-windows\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\tortoisegit.diff.document	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\ = "TortoiseGit"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{1B94B098-57C6-4C39-9DC5-8EB00E423D3E}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\tortoisegit.patch.document	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18BF1135-6EA2-405F-A71E-16EEE7F71F8B}\ = "TortoiseGit"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\TortoiseGitProc.exe\IsHostApp	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9642A3D3-7425-49F6-8F75-6A001F716AED}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GitWCRev.object.1\ = "GitWCRev Server Object"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TortoiseGit.UrlHandler	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\x-github-client\ = "URL: X-Github-Client Protocol"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A38915E4-A460-4143-8D6B-0B45564C6A00}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\*\shellex\PropertySheetHandlers\TortoiseGit	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ = "C:\\Program Files (x86)\\Common Files\\TortoiseOverlays\\TortoiseOverlays.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tortoisegit.patch.document\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GitWCRev.object\CLSID\ = "{9642A3D3-7425-49F6-8F75-6A001F716AED}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F2E334DC-2799-4961-9FCC-C324CB5FD205}\1.0\0\win32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\TortoiseGit	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B94B098-57C6-4C39-9DC5-8EB00E423D3E}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{41886E22-73C4-49E8-8831-37F79CED16FE}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D69716CD-6993-4D0D-898F-5EBBC25C5D4D}\ = "TortoiseGit"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\ = "TortoiseGit"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F2E334DC-2799-4961-9FCC-C324CB5FD205}\1.0\HELPDIR	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}\ = "TortoiseSVN"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DA7CDCB-DC0B-4246-80BD-812E942734AF}\ = "TortoiseGit"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2E334DC-2799-4961-9FCC-C324CB5FD205}\1.0\0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\TortoiseGitProc.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TortoiseGit\ = "{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\ShellEx\ContextMenuHandlers\TortoiseGit\ = "{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10A0FDD2-B0C0-4CD4-A7AE-E594CE3B91C8}\InProcServer32\ = "C:\\Program Files\\TortoiseGit\\bin\\TortoiseGitStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A4800FA-13B4-4CB4-9A37-97E7FAEDA731}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\895461DBEEABE5845BF656878A4C6CEC\SSHPlink = "DefaultFeature"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{451C7E59-058F-450A-8C42-FE9A12A302FC}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F380D0B-EE64-479B-B2AD-EF437BF4B0A6}\InProcServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{9642A3D3-7425-49F6-8F75-6A001F716AED}\LocalServer32	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3396	msiexec.exe
3396	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4960	msiexec.exe
Token: SeSecurityPrivilege	3396	msiexec.exe
Token: SeCreateTokenPrivilege	4960	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4960	msiexec.exe
Token: SeLockMemoryPrivilege	4960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4960	msiexec.exe
Token: SeMachineAccountPrivilege	4960	msiexec.exe
Token: SeTcbPrivilege	4960	msiexec.exe
Token: SeSecurityPrivilege	4960	msiexec.exe
Token: SeTakeOwnershipPrivilege	4960	msiexec.exe
Token: SeLoadDriverPrivilege	4960	msiexec.exe
Token: SeSystemProfilePrivilege	4960	msiexec.exe
Token: SeSystemtimePrivilege	4960	msiexec.exe
Token: SeProfSingleProcessPrivilege	4960	msiexec.exe
Token: SeIncBasePriorityPrivilege	4960	msiexec.exe
Token: SeCreatePagefilePrivilege	4960	msiexec.exe
Token: SeCreatePermanentPrivilege	4960	msiexec.exe
Token: SeBackupPrivilege	4960	msiexec.exe
Token: SeRestorePrivilege	4960	msiexec.exe
Token: SeShutdownPrivilege	4960	msiexec.exe
Token: SeDebugPrivilege	4960	msiexec.exe
Token: SeAuditPrivilege	4960	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4960	msiexec.exe
Token: SeChangeNotifyPrivilege	4960	msiexec.exe
Token: SeRemoteShutdownPrivilege	4960	msiexec.exe
Token: SeUndockPrivilege	4960	msiexec.exe
Token: SeSyncAgentPrivilege	4960	msiexec.exe
Token: SeEnableDelegationPrivilege	4960	msiexec.exe
Token: SeManageVolumePrivilege	4960	msiexec.exe
Token: SeImpersonatePrivilege	4960	msiexec.exe
Token: SeCreateGlobalPrivilege	4960	msiexec.exe
Token: SeBackupPrivilege	1052	vssvc.exe
Token: SeRestorePrivilege	1052	vssvc.exe
Token: SeAuditPrivilege	1052	vssvc.exe
Token: SeBackupPrivilege	3396	msiexec.exe
Token: SeRestorePrivilege	3396	msiexec.exe
Token: SeRestorePrivilege	3396	msiexec.exe
Token: SeTakeOwnershipPrivilege	3396	msiexec.exe
Token: SeRestorePrivilege	3396	msiexec.exe
Token: SeTakeOwnershipPrivilege	3396	msiexec.exe
Token: SeBackupPrivilege	4584	srtasks.exe
Token: SeRestorePrivilege	4584	srtasks.exe
Token: SeSecurityPrivilege	4584	srtasks.exe
Token: SeTakeOwnershipPrivilege	4584	srtasks.exe
Token: SeBackupPrivilege	4584	srtasks.exe
Token: SeRestorePrivilege	4584	srtasks.exe
Token: SeSecurityPrivilege	4584	srtasks.exe
Token: SeTakeOwnershipPrivilege	4584	srtasks.exe
Token: SeRestorePrivilege	3396	msiexec.exe
Token: SeTakeOwnershipPrivilege	3396	msiexec.exe
Token: SeRestorePrivilege	3396	msiexec.exe
Token: SeTakeOwnershipPrivilege	3396	msiexec.exe
Token: SeRestorePrivilege	3396	msiexec.exe
Token: SeTakeOwnershipPrivilege	3396	msiexec.exe
Token: SeRestorePrivilege	3396	msiexec.exe
Token: SeTakeOwnershipPrivilege	3396	msiexec.exe
Token: SeRestorePrivilege	3396	msiexec.exe
Token: SeTakeOwnershipPrivilege	3396	msiexec.exe
Token: SeRestorePrivilege	3396	msiexec.exe
Token: SeTakeOwnershipPrivilege	3396	msiexec.exe
Token: SeRestorePrivilege	3396	msiexec.exe
Token: SeTakeOwnershipPrivilege	3396	msiexec.exe
Token: SeRestorePrivilege	3396	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4960	msiexec.exe
4440	REx944C.exe
4960	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
840	TortoiseGitProc.exe
840	TortoiseGitProc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 4584	3396	msiexec.exe	97
PID 3396 wrote to memory of 4584	3396	msiexec.exe	97
PID 3396 wrote to memory of 544	3396	msiexec.exe	99
PID 3396 wrote to memory of 544	3396	msiexec.exe	99
PID 3396 wrote to memory of 544	3396	msiexec.exe	99
PID 3396 wrote to memory of 5116	3396	msiexec.exe	102
PID 3396 wrote to memory of 5116	3396	msiexec.exe	102
PID 4960 wrote to memory of 840	4960	msiexec.exe	101
PID 4960 wrote to memory of 840	4960	msiexec.exe	101
PID 5116 wrote to memory of 4440	5116	MsiExec.exe	103
PID 5116 wrote to memory of 4440	5116	MsiExec.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TortoiseGit-2.14.0.0-64bit.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Program Files\TortoiseGit\bin\TortoiseGitProc.exe
  "C:\Program Files\TortoiseGit\bin\TortoiseGitProc.exe" /command:firststart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:840

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6987980ED99D05C0373BB59460D0A65E
  2⤵
  - Loads dropped DLL
  PID:544
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B1E57879DA0C01A4C56D7AA281917867 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\REx944C.exe
    "C:\Users\Admin\AppData\Local\Temp\REx944C.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:4440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f8c8.rbs

Filesize
97KB

MD5
b46200fca43be53f11cccb28a1e568f2

SHA1
8eedb9c8cafcf1754342fe2912c1805abf3e5fb3

SHA256
2e8f7056e7b150950034f3c2626247bd2f1fd91054cc1775669b0a7cdb1b0a29

SHA512
edef4d18207dbfd6a149b167e8191facfb5f73667259df1e8839e76ee979c69b268579531e26592adbb14772d1757ca04068d728981212955012b1b9720afd36

Download Submit
C:\Program Files (x86)\Common Files\TortoiseOverlays\icons\XPStyle\IgnoredIcon.ico

Filesize
31KB

MD5
cf15744ad19756eb089f48848a0b0514

SHA1
a68ddf3b4553b34e2b6cd6aa30e6242a6ea9ec60

SHA256
8e8c74fb8ed84184c0671df1d6a17f538a5926981e2d0f05603d87f7a3100f5b

SHA512
c5c87e8e0c85068a14b28ad269ef12561611df41205d0490c1e5dbbe167c4d538ab3941cddf4fb26ea28a8ab0d4d6fca1a8665b558b1cea6f55c34546bbe205d

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\diff-dll.vbs

Filesize
3KB

MD5
abb8f8871af4b4d0cdbae0df5df70692

SHA1
921a8805f47bf2e32a23f4510e7c9bf513c8bd42

SHA256
661ef095b5c632a6421f203cb678f62aa6868976563e7ae312306509bcff4f96

SHA512
94c664aa4f31500e593c3569bec41863a913e1434e0f003723c4bf3f7487371f1ed7d4e40076b7b92f4e75e6b841969409990ff348b088adee07c081e8fd7880

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\diff-doc.js

Filesize
6KB

MD5
9aae354ae3be1302fae0f9ed867b36bf

SHA1
678167b05a490256fa09c688dde1e3bfaa3ccea1

SHA256
bd04b62a765e2f80ad1cbef08cd25a78903819e1dae1c3d556f394e28e7877b5

SHA512
64c09f0dd0337f6beb462f5e3f46c005fcffcc911b2dd1d5405c65a74e4565642e925048b4867e70d0bc64624a7633bfcc9aeffd33d690fec9b0f4725680a84d

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\diff-nb.vbs

Filesize
2KB

MD5
a0985ea2b1611046ad28222b9f85518d

SHA1
4acae43a89fb6c43b5ebadcd05b2b5ef6afb4253

SHA256
75a347426b014895ba0f6db181ad77f9ea94f8b8699ad4072f823d460a7e5ed7

SHA512
1d05de8238f621765431b012e75ec2f69258270021cdee7a84c77ce7862b355f0a619daaf95c026dcd6c9f339ebf72a450372ac38fc9cb2d2dfefb151010399c

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\diff-odt.vbs

Filesize
3KB

MD5
355ec00e12136e70f08ec743ecee977b

SHA1
48f61d618ee780e0fcb9606723076da46094b785

SHA256
6887109cfee016e1cc6437d261470a034eac99fc7c73d986285f838c0656c686

SHA512
a7c2d93526da48b6d4332237b8adcb259c0fb831df48416d1830204c07ed107abf8fef3f734a7a578aa381d9bce66f7107fe00030224467cda35d1a12a1a0fd1

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\diff-ppt.js

Filesize
2KB

MD5
ff9f2b866a9eaf58879c0ec583b89e39

SHA1
f800a5631dadcdb013d3243952c25852c9cd6862

SHA256
aa83e8156a87bfab1018b844cf5f8449c82b9d9a6ffbf02431d67875ca8ae6ac

SHA512
05651d1d6b4c83c78baf45599b63b9755e410fa19e0cd35e14f32604dd8721b1b34d29d8bc3eb8669990fdd396249bb55c04146b5cb896f482bed14e7e474e09

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\diff-sxw.vbs

Filesize
2KB

MD5
8934717fda7f427816b180f2e0b8ad28

SHA1
d171845540ff22c2037f20e4cb0f53a467177bb7

SHA256
197a05dccc2e82697179095598f1dfba73a8d15705218a7627928b1f53f2c3c1

SHA512
3ef8e1c1746ab8e0226d3b81149d9d1f7e40f80d5f98cbdad0d945f11209ef25e8c5be4491e7dfc7653ae2474aad1a69c92ea8b923c4c33ccbf94dbece05c004

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\diff-xls.js

Filesize
9KB

MD5
0943261a7b8750564c2c0af2e4d93edb

SHA1
7871cf7515c126161be09edd395d33bada827419

SHA256
9ad4e170365cc2e1fffa6f7ef59182f642a40d08b9edb2421e57df9d28aa7608

SHA512
711e3c8a062cf5881cdf6411292d3e9ab21380e27a9274d7087016db2269ce75478aa0a28bc6abd2b38008473d9afdcc501d0bc8a0c47b8d8bfb3bbf551095cc

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\merge-doc.js

Filesize
3KB

MD5
a43e6663646067ddc248ec766a36b503

SHA1
81e794ba5abbe86d83370b333ed122b531e8b7e0

SHA256
ee86557d136a1a1d7fd052f741da90d32db7b5ce1e7d08dfb19dd5570228915e

SHA512
5ceb36b9ddcc88607d114922b03b2d4892cb1b36f5e9850b6354bb4ce5d2c6c5111561883fb90dd5462ad10f35137430a102043e5c9acdb553b805f4dc3e9b9b

Download Submit
C:\Program Files\TortoiseGit\Diff-Scripts\merge-ods.vbs

Filesize
3KB

MD5
83e424e1b559a3257652cf7e3519ad64

SHA1
e44ba7b35ce4c69acf1633e88e4dd43468b2bb19

SHA256
bfcbe021954bd7b886dd746b195d4463586fde7780cef83e618d7c66571ca733

SHA512
4cc3377d0cdc66114ba2278e4f905214e17379df8c5b5b3a5e1fe2754cf666989051b99b9bb53b309da861e07164912ecd566621f444d56fc50d14e6716bf8a0

Download Submit
C:\Program Files\TortoiseGit\bin\MFC140ENU.DLL

Filesize
68KB

MD5
f93cc93c178ee0d0dcec72b6590837b7

SHA1
d850aa17e90eaa85505b01191b9b4012cdf37de6

SHA256
2368b5905df1d205c956ec94594491241c2b83fd0d22928dfbe1ce7b1657abe2

SHA512
623bef9ce6a83a2576cf32e620767ad7dbc8a5c04c48d896b436f60d4a34d56bb44514079afd6f1580018791d486ee5102c329682f9372afa514232a4002f209

Download Submit
C:\Program Files\TortoiseGit\bin\MSVCP140.dll

Filesize
566KB

MD5
0929e46b1020b372956f204f85e48ed6

SHA1
9dc01cf3892406727c8dc7d12ad8855871c9ef09

SHA256
cb3c74d6fcc091f4eb7c67ee5eb5f76c1c973dea8b1c6b851fcca62c2a9d8aa8

SHA512
dd28fca139d316e2cc4d13a6adffb7af6f1a9dc1fc7297976a4d5103fae44de555a951b99f7601590b331f6dbb9bfc592d31980135e3858e265064117012c8d5

Download Submit
C:\Program Files\TortoiseGit\bin\SciLexer_tgit.dll

Filesize
1.8MB

MD5
b893a2d1d2e37a4a384b4fb968b4bc9a

SHA1
53656b0a141b7f702e95b2bb20ef056a49ce9322

SHA256
2cfe03cba6d0d036a63fcb9db7775e0a3e1d928101871119a7e3235147d1e895

SHA512
f8dc598c13efb9c5dc32efff3e2e3d0971cc17ae7e4367f8f10314e724ba4d24e6020ed6914f1bffae3d3a215a83c230fa90df90cbcd300976fd743b1349f7ae

Download Submit
C:\Program Files\TortoiseGit\bin\SciLexer_tgit.dll

Filesize
1.8MB

MD5
b893a2d1d2e37a4a384b4fb968b4bc9a

SHA1
53656b0a141b7f702e95b2bb20ef056a49ce9322

SHA256
2cfe03cba6d0d036a63fcb9db7775e0a3e1d928101871119a7e3235147d1e895

SHA512
f8dc598c13efb9c5dc32efff3e2e3d0971cc17ae7e4367f8f10314e724ba4d24e6020ed6914f1bffae3d3a215a83c230fa90df90cbcd300976fd743b1349f7ae

Download Submit
C:\Program Files\TortoiseGit\bin\TortoiseGitProc.exe

Filesize
13.0MB

MD5
0aeb946e4b63cf02c5b9298d54dd5119

SHA1
372c990319f325d7c9adcb58b859b4d6397f5f59

SHA256
d3293cbcf17127a6900372853fdc1c662856c7b0a7cc2b34927ceb6c716f6abd

SHA512
884a79295b6d79b7c297f8366e5727e96f9eeacd4268e3e221c3b76e3c39b8d9782f356fa9522e799e52d5ae9c85dcc6be9b12bfc14cc10f39966483eb24a39c

Download Submit
C:\Program Files\TortoiseGit\bin\TortoiseGitProc.exe

Filesize
13.0MB

MD5
0aeb946e4b63cf02c5b9298d54dd5119

SHA1
372c990319f325d7c9adcb58b859b4d6397f5f59

SHA256
d3293cbcf17127a6900372853fdc1c662856c7b0a7cc2b34927ceb6c716f6abd

SHA512
884a79295b6d79b7c297f8366e5727e96f9eeacd4268e3e221c3b76e3c39b8d9782f356fa9522e799e52d5ae9c85dcc6be9b12bfc14cc10f39966483eb24a39c

Download Submit
C:\Program Files\TortoiseGit\bin\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Program Files\TortoiseGit\bin\VCRUNTIME140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Program Files\TortoiseGit\bin\crshhndl.dll

Filesize
74KB

MD5
970f308b79db8d6817cd6ba044be61c6

SHA1
fd6e31053470e9c0bdd2a589c884f57fd5c2516e

SHA256
bf73ff4bceba976e0c6b3ea4b73d745d1a9713002d2af01a76ab484fd1d157f7

SHA512
c1cb3e62b572124497603029aafe274fc0ae870b6e0639421b7898daa68e64b458bd9f43ea146a2ac8e462a268997c7407c892bfef66f5d5a5be90d5dc8983e6

Download Submit
C:\Program Files\TortoiseGit\bin\crshhndl.dll

Filesize
74KB

MD5
970f308b79db8d6817cd6ba044be61c6

SHA1
fd6e31053470e9c0bdd2a589c884f57fd5c2516e

SHA256
bf73ff4bceba976e0c6b3ea4b73d745d1a9713002d2af01a76ab484fd1d157f7

SHA512
c1cb3e62b572124497603029aafe274fc0ae870b6e0639421b7898daa68e64b458bd9f43ea146a2ac8e462a268997c7407c892bfef66f5d5a5be90d5dc8983e6

Download Submit
C:\Program Files\TortoiseGit\bin\gitdll.dll

Filesize
1.6MB

MD5
aa5db721386141903aac39b50d31befd

SHA1
83dde347cb24a460a0298bfcc6fc61972889fb83

SHA256
d690f254b299db9bbc192f175b0217c7b51bda753fc055260eddf1604fac2bcd

SHA512
eb7a6b09b6b6b442359cc21a8c5c89b0a0483b0b8e2183ca8debd3830c70c1660f50722fc53b9b3c48a92fb832364f7b997c4cfda68e8c9beb19782d027b3dbc

Download Submit
C:\Program Files\TortoiseGit\bin\gitdll.dll

Filesize
1.6MB

MD5
aa5db721386141903aac39b50d31befd

SHA1
83dde347cb24a460a0298bfcc6fc61972889fb83

SHA256
d690f254b299db9bbc192f175b0217c7b51bda753fc055260eddf1604fac2bcd

SHA512
eb7a6b09b6b6b442359cc21a8c5c89b0a0483b0b8e2183ca8debd3830c70c1660f50722fc53b9b3c48a92fb832364f7b997c4cfda68e8c9beb19782d027b3dbc

Download Submit
C:\Program Files\TortoiseGit\bin\libgit2_tgit.dll

Filesize
1.7MB

MD5
c1b21bc28b4c7a455da8ac6e86426c0b

SHA1
051a536a50d3cd5a683b0d6b1f95a3a0f6998063

SHA256
c4513a0acf893b35d54f8840f3ca037b5bdd5dc2be9a3a4a9bb61499d1dca543

SHA512
b389e3d1e4e55b8c85c54ed9a9c3bf58fee2450ba3482de6bbe3e6edb67efdb445d4d794687e489b8ca847cb156b8762f77d1d2bb3bb839f83228a56f70e5bf7

Download Submit
C:\Program Files\TortoiseGit\bin\libgit2_tgit.dll

Filesize
1.7MB

MD5
c1b21bc28b4c7a455da8ac6e86426c0b

SHA1
051a536a50d3cd5a683b0d6b1f95a3a0f6998063

SHA256
c4513a0acf893b35d54f8840f3ca037b5bdd5dc2be9a3a4a9bb61499d1dca543

SHA512
b389e3d1e4e55b8c85c54ed9a9c3bf58fee2450ba3482de6bbe3e6edb67efdb445d4d794687e489b8ca847cb156b8762f77d1d2bb3bb839f83228a56f70e5bf7

Download Submit
C:\Program Files\TortoiseGit\bin\mfc140u.dll

Filesize
5.4MB

MD5
0f3bccc38502c5543c02266e6e62b738

SHA1
4c5eb318eeea2c208e6931178d3cc5b1d59c4e2b

SHA256
bc9eb4f2c8a8e9f1ab4cf67b935bbe13e5fe456faa8b9e1d486ef81c27c4d810

SHA512
de9758b1eae1c2f1375b415b44dc2b8c3b65fafae9aaab53db85341f7c00f9499d9dda9a80a89a3d4fc7f4f7bffd335564863d5a2ea7719d59e13f7d1ee4f87a

Download Submit
C:\Program Files\TortoiseGit\bin\mfc140u.dll

Filesize
5.4MB

MD5
0f3bccc38502c5543c02266e6e62b738

SHA1
4c5eb318eeea2c208e6931178d3cc5b1d59c4e2b

SHA256
bc9eb4f2c8a8e9f1ab4cf67b935bbe13e5fe456faa8b9e1d486ef81c27c4d810

SHA512
de9758b1eae1c2f1375b415b44dc2b8c3b65fafae9aaab53db85341f7c00f9499d9dda9a80a89a3d4fc7f4f7bffd335564863d5a2ea7719d59e13f7d1ee4f87a

Download Submit
C:\Program Files\TortoiseGit\bin\msvcp140.dll

Filesize
566KB

MD5
0929e46b1020b372956f204f85e48ed6

SHA1
9dc01cf3892406727c8dc7d12ad8855871c9ef09

SHA256
cb3c74d6fcc091f4eb7c67ee5eb5f76c1c973dea8b1c6b851fcca62c2a9d8aa8

SHA512
dd28fca139d316e2cc4d13a6adffb7af6f1a9dc1fc7297976a4d5103fae44de555a951b99f7601590b331f6dbb9bfc592d31980135e3858e265064117012c8d5

Download Submit
C:\Program Files\TortoiseGit\bin\vcruntime140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Program Files\TortoiseGit\bin\vcruntime140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Program Files\TortoiseGit\bin\zlib1_tgit.dll

Filesize
102KB

MD5
bd447e47cb1696a87f7e9eb637707b5b

SHA1
55fef10e3ec8ee4a1f27f6d0cf100187edf36e72

SHA256
fdca53a9a4ee1a7a31d91015b9edab449c5787d5e9483c55bb5aeb495f08e325

SHA512
6583560362434713616a03b0028348c452be6fd5244d2c632878e10230ed0505b449d279b633b1ad877480317c6defd97fdca106c0102125603f382410ca4ced

Download Submit
C:\Program Files\TortoiseGit\bin\zlib1_tgit.dll

Filesize
102KB

MD5
bd447e47cb1696a87f7e9eb637707b5b

SHA1
55fef10e3ec8ee4a1f27f6d0cf100187edf36e72

SHA256
fdca53a9a4ee1a7a31d91015b9edab449c5787d5e9483c55bb5aeb495f08e325

SHA512
6583560362434713616a03b0028348c452be6fd5244d2c632878e10230ed0505b449d279b633b1ad877480317c6defd97fdca106c0102125603f382410ca4ced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4

Filesize
1KB

MD5
f20fb2e84d157b553348ddb47459bab1

SHA1
0e9688bc54f315d307283c680d1064d4a3b4edb6

SHA256
2f2cf3241225cded1b84fe0bcd024f83cda38b9cd0a15bd6f78a2876162c62d8

SHA512
2abc8afc0c9043c800783e197ad6ce3c63ad39cdb25a520bf069736f891e654fd7f3443c6a5f54aa2674cd66911c43ce835509742821abf9f406fecbbbd4eb9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E4160FB650E5091C535216313A4ECD3_20C3F4F7FED3CB1A59B8C17661A3E75C

Filesize
2KB

MD5
c4acc383a38c935694933a805cf28ada

SHA1
8729a2dec6beb5fba2590b596f4497f1b1018fcb

SHA256
90de669576009c98cfa7f16ed0b2873c3885bf146ed25b50cd68f05ad3c4cd1d

SHA512
7dfc56cb948f835b1013dd4c601ec42cebbe385c0265601ee56217baaac52b05ff171ddbb1c19543247e77a4bf20a1e77998fb54c25c1a7a7a7aab31a49967ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4

Filesize
412B

MD5
80bd459d676dc143d28e86f1ca7a5d8a

SHA1
912e71631f906039cf9205c429e8a78967425490

SHA256
1dc9e37d398fb7e34cd6a72091e82628080ed41d962aeb12ec5886eeca50167b

SHA512
d593e6a361ebad1bb4deb40191a97a3dfa8806667864b247bb38a88de591001fc4531723f6c3e8169cacec3b0437b797474ae65029c60e4449be5bbe6591241e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E4160FB650E5091C535216313A4ECD3_20C3F4F7FED3CB1A59B8C17661A3E75C

Filesize
416B

MD5
e3b6bb3f7a052241db4a3d8508e75af8

SHA1
21b5f5b74befcf55db0f8e6a691c4a83e7adaf24

SHA256
a8104781112b9af40d64c292692d110fc24e9024e3482e4786ebded11ccc0351

SHA512
350d309a29e09d1b3c802d5d67863b63059aeb005ae69077d2e7a31a209a109bbf87ea1e0423ac13d26e0088cb329eebf0442f2199dcc5195762a1f6cbfe9305

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI93A0.tmp

Filesize
230KB

MD5
8ff25cf00be5be641fc5a561dc956367

SHA1
c69568aa0689163a43b15d42191b66cd81450d73

SHA256
7c466b50cd1e37ce8c6189935a5586f41514ec810899e2cdb528c79e38d7c96d

SHA512
d68ea4ac1f01c72277342e2ec004223633e6c17400d11b3b9721bb8f1059d0cba6b7fb899d9d7f6c23f9ec4efa4f7b668b47aba8b759b01c1532eb1ebda49e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI93A0.tmp

Filesize
230KB

MD5
8ff25cf00be5be641fc5a561dc956367

SHA1
c69568aa0689163a43b15d42191b66cd81450d73

SHA256
7c466b50cd1e37ce8c6189935a5586f41514ec810899e2cdb528c79e38d7c96d

SHA512
d68ea4ac1f01c72277342e2ec004223633e6c17400d11b3b9721bb8f1059d0cba6b7fb899d9d7f6c23f9ec4efa4f7b668b47aba8b759b01c1532eb1ebda49e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\REx944C.exe

Filesize
134KB

MD5
12b850bd89182666af38b662a0d8902b

SHA1
1b1844de46a3f1362187399368c18ee6a66e5ed6

SHA256
328f7b7d468e7ba1defa7ad8a77adb7ef307ff9f23da8e86683db2ffcfb8f36f

SHA512
163311b99d5e99b1c90ba736c9b248a9ab2fbfcb6178d401923dbd6016c00642fd61aa47202f33928d2a0c7d79afcda4f63b613e6531ae5cdcfcc0ec1c07c2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\REx944C.exe

Filesize
134KB

MD5
12b850bd89182666af38b662a0d8902b

SHA1
1b1844de46a3f1362187399368c18ee6a66e5ed6

SHA256
328f7b7d468e7ba1defa7ad8a77adb7ef307ff9f23da8e86683db2ffcfb8f36f

SHA512
163311b99d5e99b1c90ba736c9b248a9ab2fbfcb6178d401923dbd6016c00642fd61aa47202f33928d2a0c7d79afcda4f63b613e6531ae5cdcfcc0ec1c07c2bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Git.library-ms

Filesize
278B

MD5
451090186ae724ec2d46362e4dd6769e

SHA1
c5813cd00e84d36990a8014f35fc4279158efeac

SHA256
fd26a2dd96ffa88a6c580aed17ca04a0bc0248846bcde416cc75db94c44941c9

SHA512
9dc97d5aa149f87acdbbc9868e1e939fe0a0c95ab37f2ee659297f73e605efb9abc6eb4873a6472c0af0d1016e90b9c3ccd50efe92c8a7967ca7a670c3b88451

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Git.library-ms

Filesize
476B

MD5
c2ac253d6d3af006dff254a8bc46d1c7

SHA1
c921f101b67ed2d18affc5ea25c42af4c7a15a77

SHA256
81201600a7af465d9ada4db568d3d2addcf70c229b981f8945cd1cac0849ca94

SHA512
e3e3334e9a34b0206aacc8274c6749ce5c89c7bafc6806cc06811bdf61d553c78f50eec76e4f69a16f9b022724f4bf04ada01b90d86fafc5eed44e4eddaf9579

Download Submit
C:\Windows\Installer\MSIFBA6.tmp

Filesize
233KB

MD5
69ce0f47a489fc5ed1980b43bf0eb0e6

SHA1
3f6d8ceece019812d43a0de767fc7bd72f2ce241

SHA256
b29b65905905f7d9279737fad9ee4dbfb9375109ec03c0db2d96e11b031e9a70

SHA512
ade5af5a8ca4716eb651d7de0f9bfd9c2f155884a022312fa808439f56b55ac5375dda3b4cd2dcf9af105d99cdc991e74250246f7c600a13b80507859bf43bb7

Download Submit
C:\Windows\Installer\MSIFBA6.tmp

Filesize
233KB

MD5
69ce0f47a489fc5ed1980b43bf0eb0e6

SHA1
3f6d8ceece019812d43a0de767fc7bd72f2ce241

SHA256
b29b65905905f7d9279737fad9ee4dbfb9375109ec03c0db2d96e11b031e9a70

SHA512
ade5af5a8ca4716eb651d7de0f9bfd9c2f155884a022312fa808439f56b55ac5375dda3b4cd2dcf9af105d99cdc991e74250246f7c600a13b80507859bf43bb7

Download Submit
C:\Windows\Installer\e57f8c7.msi

Filesize
21.6MB

MD5
ca36bf3998301057ab7f4f64a84085f5

SHA1
66353468825a754f384f9c1bd3e34b37bd9071f7

SHA256
df07f0f3d9888fd153d5d08f4a8ccb1ba4f2553316d78e101c1800bc42f9ad0c

SHA512
87ad935e1329a0e6076b3a58e27e149b08adbc516328ecbe47707d41601af9b0277a8a591a5fee723d3d9e9778e123e6434f23d1a930b12d5f10519df6f23636

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
11.8MB

MD5
c7610e597cc26580f835c08f49e2db35

SHA1
983802f02ef938a5bdac956024f3231a15ca622b

SHA256
c1facf51e49b116ae8062ae9a2ddd64c3ffcf5bc130ffc6284f05367c79cf748

SHA512
4f623513427d806f4ef6ec580fdcd4b49de6b58325b9a6956c6a92743b6726c65a6223e83fa8e9a90f0f7ea5ff1b05faa8a85135115e1a81a2dab32e857539d2

Download Submit
\??\Volume{6aa5dca8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cbc1f9fa-aa48-486d-b759-de9e0c8dbba5}_OnDiskSnapshotProp

Filesize
5KB

MD5
2d9fb90ab2adbf224105944db67878aa

SHA1
c6a263eddf6d66f0056ef148a142ae21e57863a5

SHA256
f6a0a34b37a9811e66fceb512d0c619bba71b9d78d126092ef26ed9e2080d336

SHA512
759ffed3759a9a819c56decf4dab3b11da8ab6f9432f765f04e3984c4bd7e42d52d0055e1cd85063de6e0966456796e57d685409bc1d782e2030c690a37704ea

Download Submit
memory/840-497-0x00007FF6CE450000-0x00007FF6CF15C000-memory.dmp

Filesize
13.0MB

Download