Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 02:07
Static task
static1
Behavioral task
behavioral1
Sample
yuanchangkuirr-intrallar.msi
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
yuanchangkuirr-intrallar.msi
Resource
win10v2004-20241007-en
General
-
Target
yuanchangkuirr-intrallar.msi
-
Size
72.3MB
-
MD5
31e8ef3c0591e3ce82cb1c43fb6459c2
-
SHA1
2adc3a5470d7e7507c60e6bf88d86985b2d3a7b9
-
SHA256
9e0543dbde32aeacb27324fc070be63ae7bf679fbe69a4836e3dab627812a7b8
-
SHA512
c1607b5a051fe034378dee8c27aca1effbdf4ab985a500160f2260403bace6f5575117e73a21878ec3f88d1bde49f56cc99184012cb66d1cb2bdc2a7defb4994
-
SSDEEP
1572864:DNDFH5QOjDdexAgZt/qNOU1bpJh11+exX8t6iwwdM1ZE0d+LH:1xjDdKAqFqQCJh11/xYP50d+7
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1948 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\system32\DRIVERS\SETC554.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\OrayMir.sys DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\SETC554.tmp DrvInst.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunloginClient = "\"C:\\Program Files\\Oray\\SunLogin\\SunloginClient\\SunloginClient.exe\" --cmd=autorun" SunloginClient15544x64.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Modifies Windows Firewall 2 TTPs 26 IoCs
pid Process 1520 netsh.exe 2364 netsh.exe 3000 netsh.exe 2840 netsh.exe 320 netsh.exe 888 netsh.exe 2244 netsh.exe 1704 netsh.exe 2280 netsh.exe 1688 netsh.exe 1860 netsh.exe 284 netsh.exe 2660 netsh.exe 2488 netsh.exe 2104 netsh.exe 2188 netsh.exe 2064 netsh.exe 2196 netsh.exe 2576 netsh.exe 2200 netsh.exe 1272 netsh.exe 1996 netsh.exe 684 netsh.exe 2036 netsh.exe 944 netsh.exe 1316 netsh.exe -
Drops file in System32 directory 34 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18C.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18E.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\OrayMirX64.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt devcon.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat devcon.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\OrayMir.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\OrayMir.sys DrvInst.exe File opened for modification C:\Windows\system32\SETC543.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18C.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18E.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927} DrvInst.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat devcon.exe File opened for modification C:\Windows\system32\OrayMir.dll DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\omirhelp.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oraymir.inf_amd64_neutral_4576e987d6279a34\oraymir.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18D.tmp DrvInst.exe File opened for modification C:\Windows\system32\omirhelp.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\oraymir.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oraymir.inf_amd64_neutral_4576e987d6279a34\oraymir.PNF DrvInst.exe File created C:\Windows\system32\SETC504.tmp DrvInst.exe File opened for modification C:\Windows\system32\SETC504.tmp DrvInst.exe File created C:\Windows\system32\SETC543.tmp DrvInst.exe -
resource yara_rule behavioral1/memory/1212-50-0x000000013F0E0000-0x00000001400E0000-memory.dmp upx behavioral1/memory/2644-179-0x000000013F070000-0x0000000140070000-memory.dmp upx behavioral1/files/0x000500000001c8a0-316.dat upx behavioral1/memory/728-371-0x0000000000030000-0x0000000000CD8000-memory.dmp upx behavioral1/memory/1300-377-0x000000013F8C0000-0x00000001408C0000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Oray\SunLogin\SunloginClient\athr_swoi.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-control-ssh.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\log\sunlogin_service.20241023-021007.log SunloginClient.exe File opened for modification C:\Program Files\AnalyzeGentleExplorer fUsKbQztGnwa.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-audio.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-cmd.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-ortc.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-usbip.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe SunloginClient.exe File opened for modification C:\Program Files\Oray\SunLogin\SunloginClient\config.ini SunloginClient.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\Mirror64\OrayMir.sys SunloginClient15544x64.exe File created C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe KXwXckjFEiVp.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\DpmsMonitor64\oraydpmsx64.cat SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBVHCI\x64\OrayUSBVHCI.sys SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-camera.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-control-camera.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\log\shell.20241023-021022.log SunloginClient.exe File created C:\Program Files\AnalyzeGentleExplorer\common_clang32.dll msiexec.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\Idd64\orayidddriver.cat SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\Print64\OrayPrint.inf SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\Print64\OrayPrintProcessor.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\VGC64\OrayVGC.inf SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\Vhid64\orayvhid.sys SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-file.dll SunloginClient15544x64.exe File opened for modification C:\Program Files\Oray\SunLogin\SunloginClient\log\history.log SunloginClient.exe File opened for modification C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe KXwXckjFEiVp.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-codec.dll SunloginClient15544x64.exe File created C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa KXwXckjFEiVp.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\DpmsMonitor64\oraydpms.inf SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\Mirror64\devcon.exe SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\Mirror64\omirhelp.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\CopyRights.txt SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-control-file.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-net-p2p.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient_Test.zip SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\RCHook.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-control-desktop.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\Vhid64\orayvhidkmdf.sys SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe SunloginClient15544x64.exe File opened for modification C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\Modules_Test.zip SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\Idd64\OrayIddDriver.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBStub\x64\OrayUSBStub.sys SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBVHCI\x64\orayusbvhci.cat SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\Vhid64\orayvhid.cat SunloginClient15544x64.exe File opened for modification C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.xml KXwXckjFEiVp.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-control-cmd.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-desktop.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\Mirror64\oraymirx64.cat SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBVHCI\x64\OrayUSBVHCI.inf SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\VGC64\OrayVGC.sys SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\Vhid64\devcon.exe SunloginClient15544x64.exe File opened for modification C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa KXwXckjFEiVp.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\itmprc\ssh.exe SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\sunlogin_guard\64\sunlogin_guard.exe SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-rdp.dll SunloginClient15544x64.exe File created C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.xml KXwXckjFEiVp.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBMon\x64\OrayUSBMon.sys SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-saddc.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\log\sunlogin_service_watch.20241023-021007.log SunloginClient.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBMon\x64\orayusbmon.cat SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\DIFxAPI.x64.dll SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBStub\x64\orayusbstub.cat SunloginClient15544x64.exe File created C:\Program Files\Oray\SunLogin\SunloginClient\driver\Print64\orayprint.cat SunloginClient15544x64.exe -
Drops file in Windows directory 24 IoCs
description ioc Process File created C:\Windows\Installer\f771575.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f771577.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log devcon.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev2 DrvInst.exe File opened for modification C:\Windows\Installer\f771574.msi msiexec.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File created C:\Windows\Installer\f771574.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI16CB.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.app.log devcon.exe File opened for modification C:\Windows\setuperr.log devcon.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\setupact.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\f771575.ipi msiexec.exe File opened for modification C:\Windows\setupact.log devcon.exe File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File opened for modification C:\Windows\setuperr.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe -
Executes dropped EXE 12 IoCs
pid Process 764 KXwXckjFEiVp.exe 2984 fUsKbQztGnwa.exe 1212 SunloginClient15544x64.exe 1752 SunloginClient15544x64.exe 2644 SunloginClient.exe 2032 devcon.exe 1300 SunloginClient.exe 1704 SunloginClient.exe 728 sunlogin_guard.exe 2980 SunloginClient.exe 2732 SunloginClient.exe 2840 SunloginClient.exe -
Loads dropped DLL 14 IoCs
pid Process 824 MsiExec.exe 2984 fUsKbQztGnwa.exe 2984 fUsKbQztGnwa.exe 1752 SunloginClient15544x64.exe 1752 SunloginClient15544x64.exe 1752 SunloginClient15544x64.exe 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 2644 SunloginClient.exe 2644 SunloginClient.exe 1300 SunloginClient.exe 2932 Process not Found -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2420 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fUsKbQztGnwa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KXwXckjFEiVp.exe -
Kills process with taskkill 1 IoCs
pid Process 2392 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" SunloginClient15544x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA devcon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control SunloginClient15544x64.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs devcon.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates devcon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates devcon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001 SunloginClient15544x64.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\System SunloginClient15544x64.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed devcon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" SunloginClient.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates devcon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\PackageName = "yuanchangkuirr-intrallar.msi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Version = "67567622" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C6BDC420EDD7D3E42A4DC9EAE81B4DFB msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\PackageCode = "16365A16AE1FE094B86DB5BC2E221855" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C19253CA00EB68D488C5FD8D3377BD29\C6BDC420EDD7D3E42A4DC9EAE81B4DFB msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\ProductName = "AnalyzeGentleExplorer" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C19253CA00EB68D488C5FD8D3377BD29 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Media msiexec.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 792 msiexec.exe 792 msiexec.exe 1948 powershell.exe 2984 fUsKbQztGnwa.exe 1752 SunloginClient15544x64.exe 1752 SunloginClient15544x64.exe 1752 SunloginClient15544x64.exe 1752 SunloginClient15544x64.exe 1752 SunloginClient15544x64.exe 1752 SunloginClient15544x64.exe 1752 SunloginClient15544x64.exe 1752 SunloginClient15544x64.exe 1300 SunloginClient.exe 1300 SunloginClient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2420 msiexec.exe Token: SeIncreaseQuotaPrivilege 2420 msiexec.exe Token: SeRestorePrivilege 792 msiexec.exe Token: SeTakeOwnershipPrivilege 792 msiexec.exe Token: SeSecurityPrivilege 792 msiexec.exe Token: SeCreateTokenPrivilege 2420 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2420 msiexec.exe Token: SeLockMemoryPrivilege 2420 msiexec.exe Token: SeIncreaseQuotaPrivilege 2420 msiexec.exe Token: SeMachineAccountPrivilege 2420 msiexec.exe Token: SeTcbPrivilege 2420 msiexec.exe Token: SeSecurityPrivilege 2420 msiexec.exe Token: SeTakeOwnershipPrivilege 2420 msiexec.exe Token: SeLoadDriverPrivilege 2420 msiexec.exe Token: SeSystemProfilePrivilege 2420 msiexec.exe Token: SeSystemtimePrivilege 2420 msiexec.exe Token: SeProfSingleProcessPrivilege 2420 msiexec.exe Token: SeIncBasePriorityPrivilege 2420 msiexec.exe Token: SeCreatePagefilePrivilege 2420 msiexec.exe Token: SeCreatePermanentPrivilege 2420 msiexec.exe Token: SeBackupPrivilege 2420 msiexec.exe Token: SeRestorePrivilege 2420 msiexec.exe Token: SeShutdownPrivilege 2420 msiexec.exe Token: SeDebugPrivilege 2420 msiexec.exe Token: SeAuditPrivilege 2420 msiexec.exe Token: SeSystemEnvironmentPrivilege 2420 msiexec.exe Token: SeChangeNotifyPrivilege 2420 msiexec.exe Token: SeRemoteShutdownPrivilege 2420 msiexec.exe Token: SeUndockPrivilege 2420 msiexec.exe Token: SeSyncAgentPrivilege 2420 msiexec.exe Token: SeEnableDelegationPrivilege 2420 msiexec.exe Token: SeManageVolumePrivilege 2420 msiexec.exe Token: SeImpersonatePrivilege 2420 msiexec.exe Token: SeCreateGlobalPrivilege 2420 msiexec.exe Token: SeBackupPrivilege 2120 vssvc.exe Token: SeRestorePrivilege 2120 vssvc.exe Token: SeAuditPrivilege 2120 vssvc.exe Token: SeBackupPrivilege 792 msiexec.exe Token: SeRestorePrivilege 792 msiexec.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeLoadDriverPrivilege 2820 DrvInst.exe Token: SeLoadDriverPrivilege 2820 DrvInst.exe Token: SeLoadDriverPrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 792 msiexec.exe Token: SeTakeOwnershipPrivilege 792 msiexec.exe Token: SeRestorePrivilege 792 msiexec.exe Token: SeTakeOwnershipPrivilege 792 msiexec.exe Token: SeRestorePrivilege 792 msiexec.exe Token: SeTakeOwnershipPrivilege 792 msiexec.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeRestorePrivilege 764 KXwXckjFEiVp.exe Token: 35 764 KXwXckjFEiVp.exe Token: SeSecurityPrivilege 764 KXwXckjFEiVp.exe Token: SeSecurityPrivilege 764 KXwXckjFEiVp.exe Token: SeRestorePrivilege 792 msiexec.exe Token: SeTakeOwnershipPrivilege 792 msiexec.exe Token: SeRestorePrivilege 792 msiexec.exe Token: SeTakeOwnershipPrivilege 792 msiexec.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 2420 msiexec.exe 2420 msiexec.exe 1752 SunloginClient15544x64.exe 2732 SunloginClient.exe 2732 SunloginClient.exe 2732 SunloginClient.exe 2732 SunloginClient.exe 2732 SunloginClient.exe 2732 SunloginClient.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2732 SunloginClient.exe 2732 SunloginClient.exe 2732 SunloginClient.exe 2732 SunloginClient.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1752 SunloginClient15544x64.exe 2732 SunloginClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 792 wrote to memory of 824 792 msiexec.exe 35 PID 792 wrote to memory of 824 792 msiexec.exe 35 PID 792 wrote to memory of 824 792 msiexec.exe 35 PID 792 wrote to memory of 824 792 msiexec.exe 35 PID 792 wrote to memory of 824 792 msiexec.exe 35 PID 824 wrote to memory of 1948 824 MsiExec.exe 37 PID 824 wrote to memory of 1948 824 MsiExec.exe 37 PID 824 wrote to memory of 1948 824 MsiExec.exe 37 PID 824 wrote to memory of 764 824 MsiExec.exe 39 PID 824 wrote to memory of 764 824 MsiExec.exe 39 PID 824 wrote to memory of 764 824 MsiExec.exe 39 PID 824 wrote to memory of 764 824 MsiExec.exe 39 PID 824 wrote to memory of 2984 824 MsiExec.exe 41 PID 824 wrote to memory of 2984 824 MsiExec.exe 41 PID 824 wrote to memory of 2984 824 MsiExec.exe 41 PID 824 wrote to memory of 2984 824 MsiExec.exe 41 PID 824 wrote to memory of 1212 824 MsiExec.exe 42 PID 824 wrote to memory of 1212 824 MsiExec.exe 42 PID 824 wrote to memory of 1212 824 MsiExec.exe 42 PID 1212 wrote to memory of 1752 1212 SunloginClient15544x64.exe 43 PID 1212 wrote to memory of 1752 1212 SunloginClient15544x64.exe 43 PID 1212 wrote to memory of 1752 1212 SunloginClient15544x64.exe 43 PID 1752 wrote to memory of 2060 1752 SunloginClient15544x64.exe 44 PID 1752 wrote to memory of 2060 1752 SunloginClient15544x64.exe 44 PID 1752 wrote to memory of 2060 1752 SunloginClient15544x64.exe 44 PID 2060 wrote to memory of 2340 2060 cmd.exe 46 PID 2060 wrote to memory of 2340 2060 cmd.exe 46 PID 2060 wrote to memory of 2340 2060 cmd.exe 46 PID 2060 wrote to memory of 1964 2060 cmd.exe 47 PID 2060 wrote to memory of 1964 2060 cmd.exe 47 PID 2060 wrote to memory of 1964 2060 cmd.exe 47 PID 1964 wrote to memory of 2840 1964 cmd.exe 48 PID 1964 wrote to memory of 2840 1964 cmd.exe 48 PID 1964 wrote to memory of 2840 1964 cmd.exe 48 PID 2060 wrote to memory of 2912 2060 cmd.exe 49 PID 2060 wrote to memory of 2912 2060 cmd.exe 49 PID 2060 wrote to memory of 2912 2060 cmd.exe 49 PID 2912 wrote to memory of 320 2912 cmd.exe 50 PID 2912 wrote to memory of 320 2912 cmd.exe 50 PID 2912 wrote to memory of 320 2912 cmd.exe 50 PID 2060 wrote to memory of 3036 2060 cmd.exe 52 PID 2060 wrote to memory of 3036 2060 cmd.exe 52 PID 2060 wrote to memory of 3036 2060 cmd.exe 52 PID 3036 wrote to memory of 2104 3036 cmd.exe 53 PID 3036 wrote to memory of 2104 3036 cmd.exe 53 PID 3036 wrote to memory of 2104 3036 cmd.exe 53 PID 2060 wrote to memory of 2708 2060 cmd.exe 54 PID 2060 wrote to memory of 2708 2060 cmd.exe 54 PID 2060 wrote to memory of 2708 2060 cmd.exe 54 PID 2708 wrote to memory of 2188 2708 cmd.exe 55 PID 2708 wrote to memory of 2188 2708 cmd.exe 55 PID 2708 wrote to memory of 2188 2708 cmd.exe 55 PID 2060 wrote to memory of 664 2060 cmd.exe 56 PID 2060 wrote to memory of 664 2060 cmd.exe 56 PID 2060 wrote to memory of 664 2060 cmd.exe 56 PID 664 wrote to memory of 1272 664 cmd.exe 57 PID 664 wrote to memory of 1272 664 cmd.exe 57 PID 664 wrote to memory of 1272 664 cmd.exe 57 PID 2060 wrote to memory of 344 2060 cmd.exe 58 PID 2060 wrote to memory of 344 2060 cmd.exe 58 PID 2060 wrote to memory of 344 2060 cmd.exe 58 PID 344 wrote to memory of 1996 344 cmd.exe 59 PID 344 wrote to memory of 1996 344 cmd.exe 59 PID 344 wrote to memory of 1996 344 cmd.exe 59 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\yuanchangkuirr-intrallar.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2420
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 33DB54815138BAD999151C85A70EC9F1 M Global\MSI00002⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\AnalyzeGentleExplorer'3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe"C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe" x "C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO" -o"C:\Program Files\AnalyzeGentleExplorer\" -pjMgmEjeKlhGKaGgJyBsZ -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe"C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe" -number 105 -file file3 -mode mode3 -flag flag33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2984
-
-
C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe"C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe"C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe" --mod=install --admin=14⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\cmd.execmd /c install.bat SunloginClient5⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver6⤵PID:2340
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall delete rule name="SunloginClient"6⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall delete rule name="SunloginClient"7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2840
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=public6⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=public7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:320
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=public6⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=public7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2104
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=public6⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=public7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2188
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=public6⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=public7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1272
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=domain6⤵
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=domain7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:1996
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=domain6⤵PID:2516
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=domain7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:684
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=domain6⤵PID:408
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=domain7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:888
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=domain6⤵PID:2204
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=domain7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2244
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=private6⤵PID:2404
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=private7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1860
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=private6⤵PID:1712
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=private7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:1704
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=private6⤵PID:1744
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=private7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2036
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=private6⤵PID:3024
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=private7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:1520
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall delete rule name="SunloginDesktopAgent"6⤵PID:936
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall delete rule name="SunloginDesktopAgent"7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:944
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=public6⤵PID:1932
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=public7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2196
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=public6⤵PID:2320
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=public7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:284
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=public6⤵PID:1452
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=public7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2364
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=public6⤵PID:2868
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=public7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2660
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=domain6⤵PID:1724
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=domain7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2488
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=domain6⤵PID:740
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=domain7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2576
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=domain6⤵PID:1052
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=domain7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:3000
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=domain6⤵PID:876
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=domain7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2280
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=private6⤵PID:1548
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=private7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1688
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=private6⤵PID:2988
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=private7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2200
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=private6⤵PID:3004
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=private7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2064
-
-
-
C:\Windows\system32\cmd.execmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=private6⤵PID:2772
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=private7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1316
-
-
-
-
C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe"C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=install --cmd=driver_mirror5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2644 -
C:\Program Files\Oray\SunLogin\SunloginClient\Driver\Mirror64\devcon.exe"C:\Program Files\Oray\SunLogin\SunloginClient\Driver\Mirror64\devcon.exe" reinstall "C:\Program Files\Oray\SunLogin\SunloginClient\Driver\Mirror64\OrayMir.inf" C50B00D7-AE62-4936-8BC8-20E0B9F0BEFB6⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2032
-
-
-
C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe"C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --admin=1 --first_install=15⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2732 -
C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe"C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=helper --cmd=cuda_check6⤵
- Executes dropped EXE
PID:2840
-
-
C:\Windows\system32\taskkill.exetaskkill /IM OrayAI.exe /F6⤵
- Kills process with taskkill
PID:2392
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000490" "00000000000005A4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5d00ecd6-f2d4-257f-3feb-816b669c4154}\oraymir.inf" "9" "6e6179ed3" "0000000000000584" "WinSta0\Default" "00000000000005DC" "208" "c:\program files\oray\sunlogin\sunloginclient\driver\mirror64"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2968
-
C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe"C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=service1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1300 -
C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe"C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=watch --pid=13002⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:1704
-
-
C:\Program Files\Oray\SunLogin\SunloginClient\sunlogin_guard\64\sunlogin_guard.exe"C:\Program Files\Oray\SunLogin\SunloginClient\sunlogin_guard\64\sunlogin_guard.exe" start -mode worker -server api-ti.sunlogin.oray.com -sunlogin -appname "Global\966DDA87-F543-42B4-B6CE-A1225068B7C7" -client_id "" -uid 0 -ua "SLRC/15.6.8.15544 (Windows,x64,appname=sunloginRemoteClient)"2⤵
- Executes dropped EXE
PID:728
-
-
C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe"C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=update --cmd=check2⤵
- Executes dropped EXE
PID:2980
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\DISPLAY\0000" "C:\Windows\INF\oem2.inf" "oraymir.inf:Oray.NTamd64:OrayMir_Inst:1.0.1.17485:c50b00d7-ae62-4936-8bc8-20e0b9f0befb" "6e6179ed3" "00000000000003E8" "0000000000000594" "00000000000005A4"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1480
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5d4ce8ad909ff9a2af13715e0316574b8
SHA12ce30e86211d39c4a1fdc602cc257c55610f0860
SHA256035c48716804b1c18133e07a52a6bdb1e82eb6fa01f5c5dec40188e2a4ae911f
SHA512119ab697e13497afbebd63988c3af123ff13d639a3d17165e3390ee9facca4a8ced3163a49ec37f0ee49f1529f31004bde009df5d3cba70b3c2700f93c5cb6d3
-
Filesize
577KB
MD511fa744ebf6a17d7dd3c58dc2603046d
SHA1d99de792fd08db53bb552cd28f0080137274f897
SHA2561b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d
SHA512424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670
-
Filesize
2.9MB
MD5a2e29c5a531ca5fdf5d4c7e75ba2748c
SHA11709ea8be99923c6ee4eb369e3971e3522d67f36
SHA256ef86954f2831682faf3655901cf82afe0d7d6fc62e8335a2f508af5d03f03d5c
SHA512e4fee7e410f8f199aa79f014290c0312d720fdb92a6efc48db5badea4fa4610bf344f23d3b7516b2a0e181aa8b27b00e446665a83de4b2d0acfa2e664df64434
-
Filesize
2.1MB
MD55aba1a676ca0de4994c623060e05f946
SHA1e792c676bdbecd6baf1516fd3adbba06764aec98
SHA2560a9d3dee1cf01c5f909c19e2821975397106b70581bc32c845ae9ef584bd1c32
SHA51255bc57941e1f76844881eecd56f65b35c2f7eff614a02a47a0f6b5ab41d2a4512b9b970fd658652b8fc56a07a78b46ce2c246798d82f5d256a80f5025ac5d6b4
-
Filesize
2KB
MD57f40a58b00a40048eb31761519dece03
SHA1b84ceb5cd8206ab32ef276d96331709b016e90e7
SHA256911aebeb980746cc03083cf720ecb2f5f0d62e731cb84c207524f1dd7849abf6
SHA512037346ba9fc3916fe21f86cf5d3df39677f0cc24f250b33b3e6e7e8193f0e01342f3b95a5ebbccea9eb6888f36b78dfcc6f2987ca6d0db8593444b73f7fe3a93
-
Filesize
88KB
MD5c03c7874fb9b3d79f6d96177e87c323f
SHA105c0a54a248ae8e2391f8d316dc0976493f4a7b6
SHA25633f3be5e34b1b354e1498a94618df6ffafbd6fa86b02d31511fffb1335b0aeb9
SHA512744fd306372508af97987a2435e0492dd27e90453ee1dbb7eb6343318b9e221e2a28b2599c8ac19d1dda34c1b93d75301967e711813f3ba65fbd0d939b9238a3
-
Filesize
62B
MD5b893e9975b295835d1655111050c5f7c
SHA1e736c52cbef70e3f1564f364640c5bfe6437553f
SHA256b5daaa1c34505f56dcf46eea254970c1d53c8b80194bdfc562fb11ec73782b9c
SHA5126cbba913c806abe03f3f538f65436bdbfdd80fcc0bc13b2581e0015f47a2f69822fcffc247a4c37e74ba9958082de600674f93ddd1f0923b2e5f05cd9de3ea68
-
Filesize
211B
MD5efe9917b7d0685d27e74fdb389f6843d
SHA19c396e7c397c12e9cdb8cb018937f2472b406cc0
SHA2569d0c7a00ff482092919ca8c7e9ad28e8a5ca26811bc4c4e1f4916841a5cea845
SHA5129fdc3787b68f08e37df82da9bb9ce89463c8a6acae8b15e35f7016ebe9dd74c611ea2cc438bffaf3cab05ff1513bb241487a65aa4c6f422216a1fddf7ecaca21
-
Filesize
228B
MD501c33aed5b01ca8df9a4d76053b664fe
SHA17b24322f7b67ec6fb08d720b0b3011bb3f06c9b5
SHA256b1018b299f3b10a5014ec1755915b005087e390eb1a2e9a097e2becf3a93ea66
SHA5128a8dbb175147ca7afe9b2dce990c2316587cb314a9b59617a41f701dd4ad92080d9cf5c92b5bc33b0723d05ec48326b535978f1333abd7a8efba6d1ef385cee9
-
Filesize
497B
MD5873c24f09dc0d3890261be13fa8afb55
SHA1d83afa23c380abf51769fb48e131936cf7407269
SHA256d32c0c2aa60f8ed2c4ca6797a6f9ad2eadd07cd45788636a85353348d83e3044
SHA51226ce086de6857af8d8a4c6e2e0d9a17644e2f6defd0c94a27247d6e4f7bd7a0a85da48bc794c7216b8decb9ce4b5b8edea5044c62168d52574f3ab86cf458983
-
Filesize
555B
MD578ce63e3e76cb76ac31d9570cd32c8fc
SHA17aa5d32e6b5fb3f0ebf7365298c3e62048d2940e
SHA25653be326c5efa7035cf662a6ece6ae7f00ec7ebbe22a53d53a3306f20362954be
SHA512eb5c67e14f82351a7b1e3fb5532718e6bd25bf822c45105a79e5927ac4294aede45fa9df47231946f88f4565c55fa583b1caceb67b13c659185c8e505b4ef920
-
Filesize
577B
MD57500261c6220e22c53ccd16a73f2ce49
SHA162fe5f6f7ecfa5940613100c954e58919f60b39c
SHA256b6cdf38887f8d196b27dd9a7c06a8f56c3a75fbbe183352b881fdff5ca986715
SHA5123682d7a862ee289f89a221a17bb94916fd8d3615ae5e72e508c41c3f9865710ec7a7f3d9ba40718c891ba2dcd600aef620b262148d9dcb6127a0bed9635cda30
-
Filesize
606B
MD585f5bd3cd500e1b2aeddfa8e9b05d3b0
SHA1f5adb8d1c266fca7e6ecbee94c66998979012041
SHA2560c64b94ec59d44b170a713d85d35a04cba730202a57eaf5b463e930fe4b6e06c
SHA5128d98a8604e9ea05a9e2506a1111e1c3f1df2f8163b4f207310a57f8276aea8f88aa8578ddfb439639c31671aa8ff36bc5be859cce3d8eb6738ad1bb5e22386be
-
Filesize
617B
MD5545159d07a91397d527f1a7e961c1dba
SHA157e78042b5ff68879f3e464906ad11212d98bfe6
SHA256655992a2fad31b28346f10211b7a01ba712473a2a302fe916188ca277acba16d
SHA5129e848d410f94ade2470cad64c6da341a035a9e7f846e23de62737416b665ed7a8447ae0bb22cf0753e84887cdb880b93e7e60920fe42d479d848742650c9d9d1
-
Filesize
4KB
MD5fecc9827c5095279cab9ae0527c28be7
SHA163839ceeb13e4cfceb04fb35c875127ec4462772
SHA25677470fac948497f08c40f2d960db3dc3476bda636f176f5ba18eae3f8aec0f4f
SHA5124014cac462e74ad4b5bf7709efd2ab1506a7936f7b827fdf830420ade707c4729084f723c22e7bcee47ea9fc6e249e255060dbcc9895409566d35d094a827a75
-
Filesize
6.7MB
MD50d7110765f87087a158204a7a09edc4b
SHA11299732166ab4b4fd508255a35fcf8ae46d37f12
SHA256f238cbfba968f9b8d163735166476e45d1cd467312b022522daf45734925ce0b
SHA5120c7dbcf41ccfc6a564f687cc05b275ed022554e7f2b9e8bb7cf70030b9d87da960686e3550ca8cf3c93f393fe37b0f17aa5e2f3afff5352a0714d1fad5038f14
-
Filesize
175B
MD58c9fbbbe7b7569139f6ae49e205054f5
SHA1d18f010691c35dfacc5a5d6ba17d0a5d803e998e
SHA256787d7b69db310fc95a26ec9cfe427cffcb184cf8975e9d10f24e990dc357837d
SHA512fd7778b4df7fd4c81f1502b04306b49db5a11ca46390f2e61d1be30098e2e1b990ba4c98591245c6f7f9a87aae7f9c5ade09a8d4cb7cfde6c3b86b1fe552462d
-
Filesize
199B
MD5400b294d1d93a0f2652acd09f9ae9c5e
SHA179510519ca410483f2fc172d0ee911e332eac007
SHA25608c238a5bcd727e68d3bb6bbd5085b5ff5cd327d73fb716d4baa2d1df1a3ff5e
SHA51263865434593f78b8ef58906e2bef52a5e14b1d6b194901c887bec71193d872efc58ecf57135a13fc034bab8209f086461480e92cbfbc93432d23e43d38b565f7
-
Filesize
308B
MD562c5f47ce270221341589c69ebffe40b
SHA1b3a4e976b31b298fa24526e21ff693de0ac70112
SHA256e9b3931fdba77493dcdf4117ea88cd849ff76db2035d7f4f240bb8d9d5925b6c
SHA5127e34778506c48dfb51c149c452fd623f890cc0d7e01e325cac970b3ffcfe45b68a473fa949b9901cf354aac3971c988053e9c0601f74b2ce2b09c7244d6e63db
-
Filesize
310B
MD5c256dc950a96c711ae515ce274a3c38a
SHA1e2a639888d3faf686be8ac6f811f76e6915228eb
SHA256930ed7283301dcbaac640c35c47f6febea808e64b6e5bd2f51863551aed2011f
SHA51224d8f26d83c410182fd6787806d01bcf0742748d00b793d27c55e5795a50d862275e9fa3dd8004935bc7427f1d0946949194c9ee2d8cd8e04e041a4db2051a67
-
Filesize
754B
MD593b5d229cb3f84332c9bddf9b363107d
SHA185a752d449d700f94c5063df42584d7097966a3d
SHA2568c47ef5fbcdcc09d1674a83a910da4265cd279ecadbe8039c8885950ab6c4d98
SHA512b6183fb44e976fd7aba6672ff1877bed2ec8430ec60a9d4ae5e5c13cc386b05440bea2f6ede3c355a2311593dc4ea6a815c504241fc591712ef6b1109fe43282
-
C:\Windows\System32\DriverStore\FileRepository\oraymir.inf_amd64_neutral_4576e987d6279a34\oraymir.PNF
Filesize11KB
MD5702914d1da046dda226127ad4989b0fb
SHA1cf1493e6ec4965122528ac0492fe514f9d7c27c6
SHA25642257cd55ed0f709bc5eaecac81648f76d5d6c5168128f2960fd8d75b7046dd3
SHA5122882a8a1c8ad8a44af52c6b50fa02d5a7fad8fce9518c9c9a9592a67b524bd9e687b16cc604b4d30fd468f12b098af0f46b9b461f7c2d2d3e28fb095fa179b39
-
Filesize
1.4MB
MD51bd7beca4338b9cf377c3ba60e3171bd
SHA1c04be255cca75710ea0e21cf18f4363b19df8bd0
SHA25689f49dfc5317c97f8b0e066db52a25a9a130517e75abe1ba14593162b6ee2c4e
SHA51272a125493cd8daf6842c64e895b8a3b3f240df44d7a6d8e166f7672e62c54ebdfed7edcc1b4db564785965fdf8e1952dd5ed4b304e211d2dd5c661bd8822e04c
-
Filesize
320B
MD58dfaa7511926b0c727c97c8d54c826d1
SHA1d36f86a9ac8f2a5c13d45fc29bc7786ca6a5271c
SHA256df8981a8011b2cb289db1f3a0cc97f883b5704958126b56185846e413ae72b18
SHA512670419ed2c2fab5448f368343f24f699a7b307bf9fd8b98b556bdf4c8bdd8fade9bbf3c220823b26f9fefa1d513f7c6010fade015aecfcdeceba42b7d5873ea8
-
Filesize
11KB
MD5c0f1f6139f9f0233dff9554b1c8abe76
SHA1674e8611cdb50499bb5d1c8f07c27e98a451937b
SHA2568d72208721b65928dfb62c9cfdacfbcc99b6e745fa93816edfc0e7ae73dd6765
SHA512b6174d31b35aaafdc8264812efa43e3baadcfde7686c82b130ec39bb21705982d890f42554f68df7066048caef510f4bcaaa0c99f1ef82166d9466ca91b54fb4
-
Filesize
34KB
MD5d275259c36eb1ee4f8eaaa9d2306d5c2
SHA1695648ddc5ac38d11e9f62bd033e68b4404e57f9
SHA25696dc4482f0d4f04d760efccb42941161fe8f16f4f347716baf361f7320c4be3e
SHA5121d53b55d7edffd277ed366c44917bcfbd0caf1bf26c2c32b647a4984670223750b4a61310ca3f3dbf87edf9bc919857cc2e3fd766ec6c2971fd9c3ad422d4f13
-
Filesize
11KB
MD58a61a25d7748f902ec39976f3a4ccf55
SHA1ed4855800b3f23170769ddd1e78895e735de055a
SHA25665ef006e05e84940d6ef9af40f08916850c9dfb9085e46ebca71ce51599a74dd
SHA512df79bbb99300024089a44e9709b3a6c3051f7ccfe7aabfa5e29ecae8efa23829dc59b9b74a22a8d6ebc7f916a6912bfb4134900adb31a006b9db68fbd0425867
-
Filesize
12KB
MD55d9dda258886185776c6cb3e13a01d44
SHA1bcd0e0d157d6a0b21e961d6033ab01a7226db326
SHA2564e2a1034dc4805e7ae16ca391a67ab6edb04f3f559489eec56523cf8c9704e33
SHA51278508609212732015f32b53d6e05cf5efc2c17da407cfa116ab5341f9f3efa9ec810afa38c537894fd48b574ee9c1dfc1e7a3a918000a84b62e55a119d3b6b58
-
Filesize
8KB
MD5e5f70fae718ee6c8145292c5736f4e94
SHA109fb9b337f5c095c7c36f6bb7028274024c1f461
SHA256301603d8e4544412146e72773ed1e827897411a8dd6bb55d91db69658be66a6b
SHA512d2210947b9ebdfabd1db65d96173e77c75aabce3cae016924b60e683845f695e1b5d53cf44de07733f3b55772005ca2f521fbf7d4f02d6d89b071743b201bdbe
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796