Edit tour

Windows Analysis Report
Sentinel Protection Installer 7.7.0.msi

Overview

General Information

Sample Name:	Sentinel Protection Installer 7.7.0.msi
Analysis ID:	1309202
MD5:	bc551bea7edbaa75c8f5265731b4129c
SHA1:	a08ddd22f8cdcf089d231bc5f48b2509a74b16bd
SHA256:	98f650baeba0d9155ce8edabc8895f5631921070f6533c23381c759de089c19a
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Uses netsh to modify the Windows network and firewall settings

Opens the same file many times (likely Sandbox evasion)

Sample is not signed and drops a device driver

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Creates files inside the driver directory

Queries the volume information (name, serial number etc) of a device

Enables driver privileges

Drops PE files

Tries to load missing DLLs

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Drops PE files to the windows directory (C:\Windows)

Creates files inside the system directory

Creates driver files

Checks for available system drives (often done to infect USB drives)

Creates or modifies windows services

Queries disk information (often used to detect virtual machines)

Found dropped PE file which has not been started or loaded

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

System is w10x64_ra

msiexec.exe (PID: 4212 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Sentinel Protection Installer 7.7.0.msi" MD5: 2D9F692E71D9985F1C6237F063F6FE76)

svchost.exe (PID: 3108 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 9520A99E77D6196D0D09833146424113)

msiexec.exe (PID: 5576 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 2D9F692E71D9985F1C6237F063F6FE76)

msiexec.exe (PID: 1624 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 2A3FD6EDBAC16BDB5CC0FC474B5EA5DC C MD5: F9A3EEE1C3A4067702BC9A59BC894285)

msiexec.exe (PID: 2116 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 81B999B40A8841E17F3D1975B81B491D MD5: F9A3EEE1C3A4067702BC9A59BC894285)

SentinelDriverInstallSupport.exe (PID: 1456 cmdline: "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDriverInstallSupport.exe" -c installUSB MD5: 9F196CAABDFAEDDA36987C7E429FAC3E)

conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

SPNSrvSupport.exe (PID: 548 cmdline: "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe" -c disable MD5: 7282E8C78BD3E795C883AFA736278724)

conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

netsh.exe (PID: 1376 cmdline: C:\Windows\System32\netsh.exe" exec "C:\Users\user\AppData\Local\Temp\SPSScript.dat MD5: 718A726FCC5EFCE3529E7A244D87F13F)

conhost.exe (PID: 5132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

SHKSrvSupport.exe (PID: 5564 cmdline: "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe" -c disable MD5: 33BC5E6771B08A113CB2046367D2D604)

conhost.exe (PID: 1768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

netsh.exe (PID: 5592 cmdline: C:\Windows\System32\netsh.exe" exec "C:\Users\user\AppData\Local\Temp\script.dat MD5: 718A726FCC5EFCE3529E7A244D87F13F)

svchost.exe (PID: 4560 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc MD5: 9520A99E77D6196D0D09833146424113)

spnsrvnt.exe (PID: 5440 cmdline: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe MD5: 08F69063301755D895F531D8B185CD91)

sntlkeyssrvr.exe (PID: 1276 cmdline: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe MD5: 8C71AAABD1EB5B0359DDF41A6E84601B)

sntlsrtsrvr.exe (PID: 3052 cmdline: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe MD5: C2F8444C44F5B13D35330624636D5AF4)

svchost.exe (PID: 2104 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: 9520A99E77D6196D0D09833146424113)

drvinst.exe (PID: 5592 cmdline: DrvInst.exe "4" "8" "C:\Users\user\AppData\Local\Temp\{e5bbff9e-6243-724b-9979-0dd8daa8d4f3}\SNTUSB64.INF" "9" "49c45bedf" "00000000000001AC" "WinSta0\Default" "00000000000001B0" "208" "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver" MD5: 100997A8B475B1D1B173BE8941DFE1A6)

conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

svchost.exe (PID: 1768 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 9520A99E77D6196D0D09833146424113)

cleanup

Process created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "8" "c:\users\user\appdata\local\temp\{e5bbff9e-6243-724b-9979-0dd8daa8d4f3}\sntusb64.inf" "9" "49c45bedf" "00000000000001ac" "winsta0\default" "00000000000001b0" "208" "c:\program files (x86)\common files\safenet sentinel\sentinel system driver"

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDriverInstallSupport.exe "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDriverInstallSupport.exe" -c installUSB
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe" -c disable
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe" -c disable
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\System32\netsh.exe" exec "C:\Users\user\AppData\Local\Temp\SPSScript.dat
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\System32\netsh.exe" exec "C:\Users\user\AppData\Local\Temp\script.dat

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{a920d09f-d6e7-674c-b267-ecdb7908bd53}\sntusb64.cat VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\System32\netsh.exe" exec "C:\Users\user\AppData\Local\Temp\SPSScript.dat

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	2 Windows Management Instrumentation	2 Windows Service	2 Windows Service	41 Masquerading	OS Credential Dumping	2 Security Software Discovery	1 Replication Through Removable Media	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Command and Scripting Interpreter	1 LSASS Driver	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	13 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 DLL Side-Loading	1 LSASS Driver	13 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	43 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Source	Detection	Scanner	Label	Link
Sentinel Protection Installer 7.7.0.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\MD5CHAP.dll	0%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\PwdGenUtility.exe	2%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe	0%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe	0%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvStop.exe	0%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe	0%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\MD5CHAP.dll	3%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\PwdGenUtility.exe	7%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe	4%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\loadserv.exe	0%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe	0%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\DIFxAPI.dll	0%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\DrvInstLauncher.exe	0%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDriverInstallSupport.exe	0%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SetupSysDriver.exe	0%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\snti386.dll	0%	ReversingLabs
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\sntusb64.sys	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIA49D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIA5B8.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIA5C8.tmp	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\C6080A060CE34DE468034496FCF4D82F\7.7.0\Global_VC_MFC42ANSICore_f0.51D569E2_8A28_11D2_B962_006097C4DE24	0%	ReversingLabs
C:\Windows\Installer\{60A0806C-3EC0-4ED4-8630-4469CF4F8DF2}\ARPPRODUCTICON.exe	0%	ReversingLabs
C:\Windows\Installer\{60A0806C-3EC0-4ED4-8630-4469CF4F8DF2}\_2646854DA5F3_11D4_8326_00D0B72E1DB9.exe	2%	ReversingLabs
C:\Windows\Installer\MSIF841.tmp	0%	ReversingLabs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.48.146.5	unknown	United States	20940	AKAMAI-ASN1EU	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
23.200.192.109	unknown	United States	2860	NOS_COMUNICACOESPT	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1309202
Start date and time:	2023-09-15 21:15:44 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample file name:	Sentinel Protection Installer 7.7.0.msi
Detection:	MAL
Classification:	mal52.evad.winMSI@29/83@0/14
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 8.253.131.111, 8.249.225.254, 8.252.65.254, 8.253.139.121, 67.26.237.254
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Sentinel Protection Installer 7.7.0.msi

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Sentinel Protection Installer 7.7.0.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2A3FD6EDBAC16BDB5CC0FC474B5EA5DC C
Source: unknown	Process created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
Source: unknown	Process created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
Source: unknown	Process created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 81B999B40A8841E17F3D1975B81B491D
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDriverInstallSupport.exe "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDriverInstallSupport.exe" -c installUSB
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDriverInstallSupport.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "8" "C:\Users\user\AppData\Local\Temp\{e5bbff9e-6243-724b-9979-0dd8daa8d4f3}\SNTUSB64.INF" "9" "49c45bedf" "00000000000001AC" "WinSta0\Default" "00000000000001B0" "208" "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe" -c disable
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\System32\netsh.exe" exec "C:\Users\user\AppData\Local\Temp\SPSScript.dat
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe" -c disable
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\System32\netsh.exe" exec "C:\Users\user\AppData\Local\Temp\script.dat
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2A3FD6EDBAC16BDB5CC0FC474B5EA5DC C
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDriverInstallSupport.exe "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDriverInstallSupport.exe" -c installUSB
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe" -c disable
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe "C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe" -c disable
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\System32\netsh.exe" exec "C:\Users\user\AppData\Local\Temp\SPSScript.dat
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\System32\netsh.exe" exec "C:\Users\user\AppData\Local\Temp\script.dat
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 81B999B40A8841E17F3D1975B81B491D

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1768:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1768:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5132:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5132:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:304:WilStaging_02

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvStop.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{60A0806C-3EC0-4ED4-8630-4469CF4F8DF2}\_2646854DA5F3_11D4_8326_00D0B72E1DB9.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA5C8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\sntusb64.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\PwdGenUtility.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA49D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\DIFxAPI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF841.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDriverInstallSupport.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\DrvInstLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\loadserv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA5B8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\MD5CHAP.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\C6080A060CE34DE468034496FCF4D82F\7.7.0\Global_VC_MFC42ANSICore_f0.51D569E2_8A28_11D2_B962_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\snti386.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\MD5CHAP.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SetupSysDriver.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{60A0806C-3EC0-4ED4-8630-4469CF4F8DF2}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\PwdGenUtility.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDriverInstallSupport.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDriverInstallSupport.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe	File opened: \Device\RasAcd count: 46988
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe	File opened: \Device\RasAcd count: 69385

Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe	Window / User API: threadDelayed 3077
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe	Window / User API: threadDelayed 5424
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe	Window / User API: threadDelayed 6031
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe	Window / User API: threadDelayed 1454

Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe TID: 5192	Thread sleep time: -240000s >= -30000s
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe TID: 3464	Thread sleep count: 238 > 30
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe TID: 5192	Thread sleep time: -1200000s >= -30000s
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe TID: 5972	Thread sleep time: -210000s >= -30000s
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe TID: 4596	Thread sleep count: 34 > 30
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe TID: 4596	Thread sleep time: -34000s >= -30000s
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe TID: 4100	Thread sleep count: 3077 > 30
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe TID: 4100	Thread sleep time: -30770s >= -30000s
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe TID: 4508	Thread sleep count: 5424 > 30
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe TID: 4508	Thread sleep time: -108480s >= -30000s
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe TID: 5192	Thread sleep count: 216 > 30
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe TID: 5192	Thread sleep time: -25920000s >= -30000s
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe TID: 5192	Thread sleep time: -120000s >= -30000s
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe TID: 5972	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe TID: 5192	Thread sleep count: 6031 > 30
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe TID: 5192	Thread sleep time: -723720000s >= -30000s
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe TID: 5192	Thread sleep count: 1454 > 30
Source: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe TID: 5192	Thread sleep time: -174480000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5524	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\loadserv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvStop.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{60A0806C-3EC0-4ED4-8630-4469CF4F8DF2}\_2646854DA5F3_11D4_8326_00D0B72E1DB9.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\C6080A060CE34DE468034496FCF4D82F\7.7.0\Global_VC_MFC42ANSICore_f0.51D569E2_8A28_11D2_B962_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\sntusb64.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\PwdGenUtility.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\snti386.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\SetupSysDriver.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{60A0806C-3EC0-4ED4-8630-4469CF4F8DF2}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF841.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel System Driver\DrvInstLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\PwdGenUtility.exe	Jump to dropped file

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	39551
Entropy (8bit):	5.777093395157236
Encrypted:	false
SSDEEP:
MD5:	AE8A2087C1FC8613DBB9281AE799F5F2
SHA1:	1C67DC572A750D3FCC29AC8E946B15C6D2E6794D
SHA-256:	4C0ED47FFAD5BC9D7D48D4EC01421CB619551A0B0DD890CD122489E26AC98A18
SHA-512:	81CE319FA5248EBCABDEF106CCF8E70BD7452D4981D12E39ACE158A9B3B9C947EA79A1A395C1FD805983C5414D8439743C9D254B32AB0DD71D59B9AECC0E5F65
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@../W.@.....@.....@.....@.....@.....@......&.{60A0806C-3EC0-4ED4-8630-4469CF4F8DF2}#.Sentinel Protection Installer 7.7.0'.Sentinel Protection Installer 7.7.0.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{17578AC1-EC9F-47C0-9D6F-9DFE461344A6}.....@.....@.....@.....@.......@.....@.....@.......@....#.Sentinel Protection Installer 7.7.0......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F33251C5-DCBF-4D2B-8F17-1D54F8332ACE}&.{60A0806C-3EC0-4ED4-8630-4469CF4F8DF2}.@......&.{DBDD908C-77E6-4643-AF39-9EF592E1ED4F}&.{60A0806C-3EC0-4ED4-8630-4469CF4F8DF2}.@......&.{D5D01AE5-464D-4904-BE14-493AC1D3F708}&.{60A0806C-3EC0-4ED4-8630-4469CF4F8DF2}.@......&.{F236D834-72D1-11D4-82DC-00D0B72E1DB9}&.{60A0806C-3EC0-4ED4-8630-4469CF4F8DF2}.@......&.{20E35F30-736E-4F9E-86D2-64A5EC03A40D}&.{60A0806C-3EC0-4ED4-8630-4469CF4F8DF2}.@......&.{A6C4253F-8A78-4030-8026-E8C8E9A8D5A1}&.{60A0806C-3EC0-

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.9441541055709747
Encrypted:	false
SSDEEP:
MD5:	DE1FEBFE3006847506F9EF7AFA2AB819
SHA1:	A19DBBDCEE6437C369D602E9C899B85928DF3950
SHA-256:	F1A4DC5262B37286CCACF0A00D937BD9EA3FFF0A71753674D63424DF645ABBFA
SHA-512:	99942A1C88680F3687149458F6A50E6A300D35EDE8E7297E8CD14F8089E18ACBE200AC317953A704B8F9850BE28D60A08D65D65062D0564725E1AE3D5D078020
Malicious:	false
Reputation:	low
Preview:	.!..........@..@.....y......................n........y..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@............................P.............#.................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\drvinst.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	184154
Entropy (8bit):	5.362288362033732
Encrypted:	false
SSDEEP:
MD5:	9F41A5D15A6715AB53BBCB7488DB09F9
SHA1:	684A54AB6CDFF10A6984EC99802D13A35039FDAA
SHA-256:	7D18764941B4695852C270CDAB3C36FEDA6A9339C19BE1F3534BBED6EB0AE1BB
SHA-512:	6E58EE4E0D70EE4B069E24974355A47639D4F14A4ED6DC385963BDE26943DB34B7EC6CA0927F49E637C8E92EE696130F9E0E0E9DC28B3C430921CD105C3B2D77
Malicious:	false
Reputation:	low
Preview:	CatalogDB: 7:15:57 AM 5/27/2021: SyncDB:: DeleteCatalog: Containers-ApplicationGuard-Package~31bf3856ad364e35~amd64~~10.0.18362.1.cat..CatalogDB: 7:15:59 AM 5/27/2021: SyncDB:: DeleteCatalog: Containers-ApplicationGuard-Shared-Package~31bf3856ad364e35~amd64~~10.0.18362.1.cat..CatalogDB: 7:15:59 AM 5/27/2021: SyncDB:: DeleteCatalog: Containers-ApplicationGuard-Shared-windows-Package~31bf3856ad364e35~amd64~~10.0.18362.1.cat..CatalogDB: 7:15:59 AM 5/27/2021: SyncDB:: DeleteCatalog: Containers-Client-Manager-onecore-Package~31bf3856ad364e35~amd64~~10.0.18362.1.cat..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #1470 encountered error 0x0000012f..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #2046 encountered error 0x0000012f..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #2359 encountered error 0x0000012f..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #1245 encountered JET error -1601..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #1245 encounter

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	308
Entropy (8bit):	4.953397043011803
Encrypted:	false
SSDEEP:
MD5:	DB5E44074A6297B954B50CD3180DC2F1
SHA1:	807A43DFDD83D558FD79E94A2205A4932C071DBB
SHA-256:	CCFEC1ED9898EDE159D664F8872F8F44F9774BDD3E76491A23D530A3AFF46F28
SHA-512:	07DB4DACFE39E3B692A11F61E6288DC28D80C7AEADE53161F5215544BDDD018A44CC8332A40C2636EFF3D3D5FD61EE804A326451B1D0ED248E502F7C24724891
Malicious:	false
Reputation:	low
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .......

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Comments: Installs the Sentinel System Driver and Sentinel Protection Server., Keywords: Sentinel Protection Installer, Subject: Sentinel Protection Installer 7.7.0, Author: SafeNet, Inc., Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2013 - Premier Edition with Virtualization Pack 20, Revision Number: {17578AC1-EC9F-47C0-9D6F-9DFE461344A6}, Last Saved Time/Date: Wed May 8 18:39:06 2019, Create Time/Date: Wed May 8 18:39:06 2019, Last Printed: Wed May 8 18:39:06 2019, Code page: 1252, Template: Intel;1033
Entropy (8bit):	7.215857822918976
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	Sentinel Protection Installer 7.7.0.msi
File size:	7'942'144 bytes
MD5:	bc551bea7edbaa75c8f5265731b4129c
SHA1:	a08ddd22f8cdcf089d231bc5f48b2509a74b16bd
SHA256:	98f650baeba0d9155ce8edabc8895f5631921070f6533c23381c759de089c19a
SHA512:	08ed062ce0780a3cb299e3634627da7337da65f36594368bc3e82e0245c1c021335bf38022ee8a865929e0796c563f7b4aa57374769a0ad82b8c4cf2f3ad4741
SSDEEP:	98304:q7JShmHSz1Yy6DyZms3otFfHq5hYyZln0Yq5oG/LoLdtQYnQQEMZVUqu7/vGgHeQ:qUzOkYtsIZoHEMZVVO2ge3qi
TLSH:	5A86E01272C58071E0FB063B95FB13711736FDB56B32C28B67A0BD1D9C72A90952A7B2
File Content Preview:	........................>...................z...............8........6..................................L.......................................................n...............-...............................t...u..........................................

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Sentinel Protection Installer 7.7.0.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Config.Msi\69d3ec.rbs

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\MD5CHAP.dll

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\PwdGenUtility.exe

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\SHKSrvSupport.exe

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\Cancelinfo.html

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\SLM.js

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\configuration.html

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\default.css

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\favicon.ico

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\images\Button.jpg

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\images\MainBox.jpg

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\images\MainBox_Inner.jpg

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\images\RightBox.jpg

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\images\TitleImage.jpg

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\images\TopBox.jpg

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\keyinfo.html

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\lang.js

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\licenseUsages.html

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\licenseinfo.html

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\md5.js

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\root\welcome.html

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlconfigsrvr.xml

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvStop.exe

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\SPNSrvSupport.exe

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\MD5CHAP.dll

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\PwdGenUtility.exe

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\PwdGenUtility.exe.manifest

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\root\Cancelinfo.html

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\root\SLM.js

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\root\keyinfo.html

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\root\lang.js

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\root\licenseinfo.html

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\root\md5.js

C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\root\sublicenseinfo.html

Windows Analysis Report
Sentinel Protection Installer 7.7.0.msi

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre