Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 02:07

General

  • Target

    yuanchangkuirr-intrallar.msi

  • Size

    72.3MB

  • MD5

    31e8ef3c0591e3ce82cb1c43fb6459c2

  • SHA1

    2adc3a5470d7e7507c60e6bf88d86985b2d3a7b9

  • SHA256

    9e0543dbde32aeacb27324fc070be63ae7bf679fbe69a4836e3dab627812a7b8

  • SHA512

    c1607b5a051fe034378dee8c27aca1effbdf4ab985a500160f2260403bace6f5575117e73a21878ec3f88d1bde49f56cc99184012cb66d1cb2bdc2a7defb4994

  • SSDEEP

    1572864:DNDFH5QOjDdexAgZt/qNOU1bpJh11+exX8t6iwwdM1ZE0d+LH:1xjDdKAqFqQCJh11/xYP50d+7

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies Windows Firewall 2 TTPs 26 IoCs
  • Drops file in System32 directory 34 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\yuanchangkuirr-intrallar.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2420
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 33DB54815138BAD999151C85A70EC9F1 M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\AnalyzeGentleExplorer'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1948
      • C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe
        "C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe" x "C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO" -o"C:\Program Files\AnalyzeGentleExplorer\" -pjMgmEjeKlhGKaGgJyBsZ -y
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:764
      • C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe
        "C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe" -number 105 -file file3 -mode mode3 -flag flag3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2984
      • C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe
        "C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe"
        3⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1212
        • C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe
          "C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe" --mod=install --admin=1
          4⤵
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1752
          • C:\Windows\system32\cmd.exe
            cmd /c install.bat SunloginClient
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2060
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ver
              6⤵
                PID:2340
              • C:\Windows\system32\cmd.exe
                cmd /c netsh advfirewall firewall delete rule name="SunloginClient"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1964
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall delete rule name="SunloginClient"
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  • Modifies data under HKEY_USERS
                  PID:2840
              • C:\Windows\system32\cmd.exe
                cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=public
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2912
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=public
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  • Modifies data under HKEY_USERS
                  PID:320
              • C:\Windows\system32\cmd.exe
                cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=public
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3036
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=public
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  • Modifies data under HKEY_USERS
                  PID:2104
              • C:\Windows\system32\cmd.exe
                cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=public
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2708
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=public
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:2188
              • C:\Windows\system32\cmd.exe
                cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=public
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:664
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=public
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:1272
              • C:\Windows\system32\cmd.exe
                cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=domain
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:344
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=domain
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  • Modifies data under HKEY_USERS
                  PID:1996
              • C:\Windows\system32\cmd.exe
                cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=domain
                6⤵
                  PID:2516
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=domain
                    7⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • Modifies data under HKEY_USERS
                    PID:684
                • C:\Windows\system32\cmd.exe
                  cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=domain
                  6⤵
                    PID:408
                    • C:\Windows\system32\netsh.exe
                      netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=domain
                      7⤵
                      • Modifies Windows Firewall
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:888
                  • C:\Windows\system32\cmd.exe
                    cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=domain
                    6⤵
                      PID:2204
                      • C:\Windows\system32\netsh.exe
                        netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=domain
                        7⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • Modifies data under HKEY_USERS
                        PID:2244
                    • C:\Windows\system32\cmd.exe
                      cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=private
                      6⤵
                        PID:2404
                        • C:\Windows\system32\netsh.exe
                          netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=private
                          7⤵
                          • Modifies Windows Firewall
                          • Event Triggered Execution: Netsh Helper DLL
                          PID:1860
                      • C:\Windows\system32\cmd.exe
                        cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=private
                        6⤵
                          PID:1712
                          • C:\Windows\system32\netsh.exe
                            netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=private
                            7⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • Modifies data under HKEY_USERS
                            PID:1704
                        • C:\Windows\system32\cmd.exe
                          cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=private
                          6⤵
                            PID:1744
                            • C:\Windows\system32\netsh.exe
                              netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=private
                              7⤵
                              • Modifies Windows Firewall
                              • Event Triggered Execution: Netsh Helper DLL
                              • Modifies data under HKEY_USERS
                              PID:2036
                          • C:\Windows\system32\cmd.exe
                            cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=private
                            6⤵
                              PID:3024
                              • C:\Windows\system32\netsh.exe
                                netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=private
                                7⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • Modifies data under HKEY_USERS
                                PID:1520
                            • C:\Windows\system32\cmd.exe
                              cmd /c netsh advfirewall firewall delete rule name="SunloginDesktopAgent"
                              6⤵
                                PID:936
                                • C:\Windows\system32\netsh.exe
                                  netsh advfirewall firewall delete rule name="SunloginDesktopAgent"
                                  7⤵
                                  • Modifies Windows Firewall
                                  • Event Triggered Execution: Netsh Helper DLL
                                  PID:944
                              • C:\Windows\system32\cmd.exe
                                cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=public
                                6⤵
                                  PID:1932
                                  • C:\Windows\system32\netsh.exe
                                    netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=public
                                    7⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • Modifies data under HKEY_USERS
                                    PID:2196
                                • C:\Windows\system32\cmd.exe
                                  cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=public
                                  6⤵
                                    PID:2320
                                    • C:\Windows\system32\netsh.exe
                                      netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=public
                                      7⤵
                                      • Modifies Windows Firewall
                                      • Event Triggered Execution: Netsh Helper DLL
                                      • Modifies data under HKEY_USERS
                                      PID:284
                                  • C:\Windows\system32\cmd.exe
                                    cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=public
                                    6⤵
                                      PID:1452
                                      • C:\Windows\system32\netsh.exe
                                        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=public
                                        7⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        PID:2364
                                    • C:\Windows\system32\cmd.exe
                                      cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=public
                                      6⤵
                                        PID:2868
                                        • C:\Windows\system32\netsh.exe
                                          netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=public
                                          7⤵
                                          • Modifies Windows Firewall
                                          • Event Triggered Execution: Netsh Helper DLL
                                          • Modifies data under HKEY_USERS
                                          PID:2660
                                      • C:\Windows\system32\cmd.exe
                                        cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=domain
                                        6⤵
                                          PID:1724
                                          • C:\Windows\system32\netsh.exe
                                            netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=domain
                                            7⤵
                                            • Modifies Windows Firewall
                                            • Event Triggered Execution: Netsh Helper DLL
                                            PID:2488
                                        • C:\Windows\system32\cmd.exe
                                          cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=domain
                                          6⤵
                                            PID:740
                                            • C:\Windows\system32\netsh.exe
                                              netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=domain
                                              7⤵
                                              • Modifies Windows Firewall
                                              • Event Triggered Execution: Netsh Helper DLL
                                              PID:2576
                                          • C:\Windows\system32\cmd.exe
                                            cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=domain
                                            6⤵
                                              PID:1052
                                              • C:\Windows\system32\netsh.exe
                                                netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=domain
                                                7⤵
                                                • Modifies Windows Firewall
                                                • Event Triggered Execution: Netsh Helper DLL
                                                • Modifies data under HKEY_USERS
                                                PID:3000
                                            • C:\Windows\system32\cmd.exe
                                              cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=domain
                                              6⤵
                                                PID:876
                                                • C:\Windows\system32\netsh.exe
                                                  netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=domain
                                                  7⤵
                                                  • Modifies Windows Firewall
                                                  • Event Triggered Execution: Netsh Helper DLL
                                                  PID:2280
                                              • C:\Windows\system32\cmd.exe
                                                cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=private
                                                6⤵
                                                  PID:1548
                                                  • C:\Windows\system32\netsh.exe
                                                    netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=private
                                                    7⤵
                                                    • Modifies Windows Firewall
                                                    • Event Triggered Execution: Netsh Helper DLL
                                                    PID:1688
                                                • C:\Windows\system32\cmd.exe
                                                  cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=private
                                                  6⤵
                                                    PID:2988
                                                    • C:\Windows\system32\netsh.exe
                                                      netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=private
                                                      7⤵
                                                      • Modifies Windows Firewall
                                                      • Event Triggered Execution: Netsh Helper DLL
                                                      PID:2200
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=private
                                                    6⤵
                                                      PID:3004
                                                      • C:\Windows\system32\netsh.exe
                                                        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=private
                                                        7⤵
                                                        • Modifies Windows Firewall
                                                        • Event Triggered Execution: Netsh Helper DLL
                                                        • Modifies data under HKEY_USERS
                                                        PID:2064
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=private
                                                      6⤵
                                                        PID:2772
                                                        • C:\Windows\system32\netsh.exe
                                                          netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=private
                                                          7⤵
                                                          • Modifies Windows Firewall
                                                          • Event Triggered Execution: Netsh Helper DLL
                                                          PID:1316
                                                    • C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe
                                                      "C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=install --cmd=driver_mirror
                                                      5⤵
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      • Modifies data under HKEY_USERS
                                                      PID:2644
                                                      • C:\Program Files\Oray\SunLogin\SunloginClient\Driver\Mirror64\devcon.exe
                                                        "C:\Program Files\Oray\SunLogin\SunloginClient\Driver\Mirror64\devcon.exe" reinstall "C:\Program Files\Oray\SunLogin\SunloginClient\Driver\Mirror64\OrayMir.inf" C50B00D7-AE62-4936-8BC8-20E0B9F0BEFB
                                                        6⤵
                                                        • Drops file in System32 directory
                                                        • Drops file in Windows directory
                                                        • Executes dropped EXE
                                                        • Modifies data under HKEY_USERS
                                                        PID:2032
                                                    • C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe
                                                      "C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --admin=1 --first_install=1
                                                      5⤵
                                                      • Drops file in Program Files directory
                                                      • Executes dropped EXE
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of SendNotifyMessage
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:2732
                                                      • C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe
                                                        "C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=helper --cmd=cuda_check
                                                        6⤵
                                                        • Executes dropped EXE
                                                        PID:2840
                                                      • C:\Windows\system32\taskkill.exe
                                                        taskkill /IM OrayAI.exe /F
                                                        6⤵
                                                        • Kills process with taskkill
                                                        PID:2392
                                            • C:\Windows\system32\vssvc.exe
                                              C:\Windows\system32\vssvc.exe
                                              1⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2120
                                            • C:\Windows\system32\DrvInst.exe
                                              DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000490" "00000000000005A4"
                                              1⤵
                                              • Drops file in Windows directory
                                              • Modifies data under HKEY_USERS
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2820
                                            • C:\Windows\system32\DrvInst.exe
                                              DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5d00ecd6-f2d4-257f-3feb-816b669c4154}\oraymir.inf" "9" "6e6179ed3" "0000000000000584" "WinSta0\Default" "00000000000005DC" "208" "c:\program files\oray\sunlogin\sunloginclient\driver\mirror64"
                                              1⤵
                                              • Drops file in System32 directory
                                              • Drops file in Windows directory
                                              • Modifies data under HKEY_USERS
                                              PID:2968
                                            • C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe
                                              "C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=service
                                              1⤵
                                              • Drops file in Program Files directory
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:1300
                                              • C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe
                                                "C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=watch --pid=1300
                                                2⤵
                                                • Drops file in Program Files directory
                                                • Executes dropped EXE
                                                PID:1704
                                              • C:\Program Files\Oray\SunLogin\SunloginClient\sunlogin_guard\64\sunlogin_guard.exe
                                                "C:\Program Files\Oray\SunLogin\SunloginClient\sunlogin_guard\64\sunlogin_guard.exe" start -mode worker -server api-ti.sunlogin.oray.com -sunlogin -appname "Global\966DDA87-F543-42B4-B6CE-A1225068B7C7" -client_id "" -uid 0 -ua "SLRC/15.6.8.15544 (Windows,x64,appname=sunloginRemoteClient)"
                                                2⤵
                                                • Executes dropped EXE
                                                PID:728
                                              • C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe
                                                "C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=update --cmd=check
                                                2⤵
                                                • Executes dropped EXE
                                                PID:2980
                                            • C:\Windows\system32\DrvInst.exe
                                              DrvInst.exe "2" "211" "ROOT\DISPLAY\0000" "C:\Windows\INF\oem2.inf" "oraymir.inf:Oray.NTamd64:OrayMir_Inst:1.0.1.17485:c50b00d7-ae62-4936-8bc8-20e0b9f0befb" "6e6179ed3" "00000000000003E8" "0000000000000594" "00000000000005A4"
                                              1⤵
                                              • Drops file in Drivers directory
                                              • Drops file in System32 directory
                                              • Drops file in Windows directory
                                              • Modifies data under HKEY_USERS
                                              PID:1480

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Config.Msi\f771576.rbs

                                              Filesize

                                              7KB

                                              MD5

                                              d4ce8ad909ff9a2af13715e0316574b8

                                              SHA1

                                              2ce30e86211d39c4a1fdc602cc257c55610f0860

                                              SHA256

                                              035c48716804b1c18133e07a52a6bdb1e82eb6fa01f5c5dec40188e2a4ae911f

                                              SHA512

                                              119ab697e13497afbebd63988c3af123ff13d639a3d17165e3390ee9facca4a8ced3163a49ec37f0ee49f1529f31004bde009df5d3cba70b3c2700f93c5cb6d3

                                            • C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe

                                              Filesize

                                              577KB

                                              MD5

                                              11fa744ebf6a17d7dd3c58dc2603046d

                                              SHA1

                                              d99de792fd08db53bb552cd28f0080137274f897

                                              SHA256

                                              1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

                                              SHA512

                                              424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

                                            • C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe

                                              Filesize

                                              2.9MB

                                              MD5

                                              a2e29c5a531ca5fdf5d4c7e75ba2748c

                                              SHA1

                                              1709ea8be99923c6ee4eb369e3971e3522d67f36

                                              SHA256

                                              ef86954f2831682faf3655901cf82afe0d7d6fc62e8335a2f508af5d03f03d5c

                                              SHA512

                                              e4fee7e410f8f199aa79f014290c0312d720fdb92a6efc48db5badea4fa4610bf344f23d3b7516b2a0e181aa8b27b00e446665a83de4b2d0acfa2e664df64434

                                            • C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO

                                              Filesize

                                              2.1MB

                                              MD5

                                              5aba1a676ca0de4994c623060e05f946

                                              SHA1

                                              e792c676bdbecd6baf1516fd3adbba06764aec98

                                              SHA256

                                              0a9d3dee1cf01c5f909c19e2821975397106b70581bc32c845ae9ef584bd1c32

                                              SHA512

                                              55bc57941e1f76844881eecd56f65b35c2f7eff614a02a47a0f6b5ab41d2a4512b9b970fd658652b8fc56a07a78b46ce2c246798d82f5d256a80f5025ac5d6b4

                                            • C:\Program Files\Oray\SunLogin\SunloginClient\Driver\Mirror64\OrayMir.inf

                                              Filesize

                                              2KB

                                              MD5

                                              7f40a58b00a40048eb31761519dece03

                                              SHA1

                                              b84ceb5cd8206ab32ef276d96331709b016e90e7

                                              SHA256

                                              911aebeb980746cc03083cf720ecb2f5f0d62e731cb84c207524f1dd7849abf6

                                              SHA512

                                              037346ba9fc3916fe21f86cf5d3df39677f0cc24f250b33b3e6e7e8193f0e01342f3b95a5ebbccea9eb6888f36b78dfcc6f2987ca6d0db8593444b73f7fe3a93

                                            • C:\Program Files\Oray\SunLogin\SunloginClient\Driver\Mirror64\devcon.exe

                                              Filesize

                                              88KB

                                              MD5

                                              c03c7874fb9b3d79f6d96177e87c323f

                                              SHA1

                                              05c0a54a248ae8e2391f8d316dc0976493f4a7b6

                                              SHA256

                                              33f3be5e34b1b354e1498a94618df6ffafbd6fa86b02d31511fffb1335b0aeb9

                                              SHA512

                                              744fd306372508af97987a2435e0492dd27e90453ee1dbb7eb6343318b9e221e2a28b2599c8ac19d1dda34c1b93d75301967e711813f3ba65fbd0d939b9238a3

                                            • C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

                                              Filesize

                                              62B

                                              MD5

                                              b893e9975b295835d1655111050c5f7c

                                              SHA1

                                              e736c52cbef70e3f1564f364640c5bfe6437553f

                                              SHA256

                                              b5daaa1c34505f56dcf46eea254970c1d53c8b80194bdfc562fb11ec73782b9c

                                              SHA512

                                              6cbba913c806abe03f3f538f65436bdbfdd80fcc0bc13b2581e0015f47a2f69822fcffc247a4c37e74ba9958082de600674f93ddd1f0923b2e5f05cd9de3ea68

                                            • C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

                                              Filesize

                                              211B

                                              MD5

                                              efe9917b7d0685d27e74fdb389f6843d

                                              SHA1

                                              9c396e7c397c12e9cdb8cb018937f2472b406cc0

                                              SHA256

                                              9d0c7a00ff482092919ca8c7e9ad28e8a5ca26811bc4c4e1f4916841a5cea845

                                              SHA512

                                              9fdc3787b68f08e37df82da9bb9ce89463c8a6acae8b15e35f7016ebe9dd74c611ea2cc438bffaf3cab05ff1513bb241487a65aa4c6f422216a1fddf7ecaca21

                                            • C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

                                              Filesize

                                              228B

                                              MD5

                                              01c33aed5b01ca8df9a4d76053b664fe

                                              SHA1

                                              7b24322f7b67ec6fb08d720b0b3011bb3f06c9b5

                                              SHA256

                                              b1018b299f3b10a5014ec1755915b005087e390eb1a2e9a097e2becf3a93ea66

                                              SHA512

                                              8a8dbb175147ca7afe9b2dce990c2316587cb314a9b59617a41f701dd4ad92080d9cf5c92b5bc33b0723d05ec48326b535978f1333abd7a8efba6d1ef385cee9

                                            • C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

                                              Filesize

                                              497B

                                              MD5

                                              873c24f09dc0d3890261be13fa8afb55

                                              SHA1

                                              d83afa23c380abf51769fb48e131936cf7407269

                                              SHA256

                                              d32c0c2aa60f8ed2c4ca6797a6f9ad2eadd07cd45788636a85353348d83e3044

                                              SHA512

                                              26ce086de6857af8d8a4c6e2e0d9a17644e2f6defd0c94a27247d6e4f7bd7a0a85da48bc794c7216b8decb9ce4b5b8edea5044c62168d52574f3ab86cf458983

                                            • C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

                                              Filesize

                                              555B

                                              MD5

                                              78ce63e3e76cb76ac31d9570cd32c8fc

                                              SHA1

                                              7aa5d32e6b5fb3f0ebf7365298c3e62048d2940e

                                              SHA256

                                              53be326c5efa7035cf662a6ece6ae7f00ec7ebbe22a53d53a3306f20362954be

                                              SHA512

                                              eb5c67e14f82351a7b1e3fb5532718e6bd25bf822c45105a79e5927ac4294aede45fa9df47231946f88f4565c55fa583b1caceb67b13c659185c8e505b4ef920

                                            • C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

                                              Filesize

                                              577B

                                              MD5

                                              7500261c6220e22c53ccd16a73f2ce49

                                              SHA1

                                              62fe5f6f7ecfa5940613100c954e58919f60b39c

                                              SHA256

                                              b6cdf38887f8d196b27dd9a7c06a8f56c3a75fbbe183352b881fdff5ca986715

                                              SHA512

                                              3682d7a862ee289f89a221a17bb94916fd8d3615ae5e72e508c41c3f9865710ec7a7f3d9ba40718c891ba2dcd600aef620b262148d9dcb6127a0bed9635cda30

                                            • C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

                                              Filesize

                                              606B

                                              MD5

                                              85f5bd3cd500e1b2aeddfa8e9b05d3b0

                                              SHA1

                                              f5adb8d1c266fca7e6ecbee94c66998979012041

                                              SHA256

                                              0c64b94ec59d44b170a713d85d35a04cba730202a57eaf5b463e930fe4b6e06c

                                              SHA512

                                              8d98a8604e9ea05a9e2506a1111e1c3f1df2f8163b4f207310a57f8276aea8f88aa8578ddfb439639c31671aa8ff36bc5be859cce3d8eb6738ad1bb5e22386be

                                            • C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

                                              Filesize

                                              617B

                                              MD5

                                              545159d07a91397d527f1a7e961c1dba

                                              SHA1

                                              57e78042b5ff68879f3e464906ad11212d98bfe6

                                              SHA256

                                              655992a2fad31b28346f10211b7a01ba712473a2a302fe916188ca277acba16d

                                              SHA512

                                              9e848d410f94ade2470cad64c6da341a035a9e7f846e23de62737416b665ed7a8447ae0bb22cf0753e84887cdb880b93e7e60920fe42d479d848742650c9d9d1

                                            • C:\Program Files\Oray\SunLogin\SunloginClient\install.bat

                                              Filesize

                                              4KB

                                              MD5

                                              fecc9827c5095279cab9ae0527c28be7

                                              SHA1

                                              63839ceeb13e4cfceb04fb35c875127ec4462772

                                              SHA256

                                              77470fac948497f08c40f2d960db3dc3476bda636f176f5ba18eae3f8aec0f4f

                                              SHA512

                                              4014cac462e74ad4b5bf7709efd2ab1506a7936f7b827fdf830420ade707c4729084f723c22e7bcee47ea9fc6e249e255060dbcc9895409566d35d094a827a75

                                            • C:\Program Files\Oray\SunLogin\SunloginClient\sunlogin_guard\64\sunlogin_guard.exe

                                              Filesize

                                              6.7MB

                                              MD5

                                              0d7110765f87087a158204a7a09edc4b

                                              SHA1

                                              1299732166ab4b4fd508255a35fcf8ae46d37f12

                                              SHA256

                                              f238cbfba968f9b8d163735166476e45d1cd467312b022522daf45734925ce0b

                                              SHA512

                                              0c7dbcf41ccfc6a564f687cc05b275ed022554e7f2b9e8bb7cf70030b9d87da960686e3550ca8cf3c93f393fe37b0f17aa5e2f3afff5352a0714d1fad5038f14

                                            • C:\ProgramData\Oray\SunloginClient\sys_config.ini

                                              Filesize

                                              175B

                                              MD5

                                              8c9fbbbe7b7569139f6ae49e205054f5

                                              SHA1

                                              d18f010691c35dfacc5a5d6ba17d0a5d803e998e

                                              SHA256

                                              787d7b69db310fc95a26ec9cfe427cffcb184cf8975e9d10f24e990dc357837d

                                              SHA512

                                              fd7778b4df7fd4c81f1502b04306b49db5a11ca46390f2e61d1be30098e2e1b990ba4c98591245c6f7f9a87aae7f9c5ade09a8d4cb7cfde6c3b86b1fe552462d

                                            • C:\ProgramData\Oray\SunloginClient\sys_config.ini

                                              Filesize

                                              199B

                                              MD5

                                              400b294d1d93a0f2652acd09f9ae9c5e

                                              SHA1

                                              79510519ca410483f2fc172d0ee911e332eac007

                                              SHA256

                                              08c238a5bcd727e68d3bb6bbd5085b5ff5cd327d73fb716d4baa2d1df1a3ff5e

                                              SHA512

                                              63865434593f78b8ef58906e2bef52a5e14b1d6b194901c887bec71193d872efc58ecf57135a13fc034bab8209f086461480e92cbfbc93432d23e43d38b565f7

                                            • C:\Users\Admin\AppData\Local\Temp\check_sign_test.log

                                              Filesize

                                              308B

                                              MD5

                                              62c5f47ce270221341589c69ebffe40b

                                              SHA1

                                              b3a4e976b31b298fa24526e21ff693de0ac70112

                                              SHA256

                                              e9b3931fdba77493dcdf4117ea88cd849ff76db2035d7f4f240bb8d9d5925b6c

                                              SHA512

                                              7e34778506c48dfb51c149c452fd623f890cc0d7e01e325cac970b3ffcfe45b68a473fa949b9901cf354aac3971c988053e9c0601f74b2ce2b09c7244d6e63db

                                            • C:\Users\Admin\AppData\Local\Temp\check_sign_test.log

                                              Filesize

                                              310B

                                              MD5

                                              c256dc950a96c711ae515ce274a3c38a

                                              SHA1

                                              e2a639888d3faf686be8ac6f811f76e6915228eb

                                              SHA256

                                              930ed7283301dcbaac640c35c47f6febea808e64b6e5bd2f51863551aed2011f

                                              SHA512

                                              24d8f26d83c410182fd6787806d01bcf0742748d00b793d27c55e5795a50d862275e9fa3dd8004935bc7427f1d0946949194c9ee2d8cd8e04e041a4db2051a67

                                            • C:\Users\Admin\AppData\Local\Temp\dnscache.json

                                              Filesize

                                              754B

                                              MD5

                                              93b5d229cb3f84332c9bddf9b363107d

                                              SHA1

                                              85a752d449d700f94c5063df42584d7097966a3d

                                              SHA256

                                              8c47ef5fbcdcc09d1674a83a910da4265cd279ecadbe8039c8885950ab6c4d98

                                              SHA512

                                              b6183fb44e976fd7aba6672ff1877bed2ec8430ec60a9d4ae5e5c13cc386b05440bea2f6ede3c355a2311593dc4ea6a815c504241fc591712ef6b1109fe43282

                                            • C:\Windows\System32\DriverStore\FileRepository\oraymir.inf_amd64_neutral_4576e987d6279a34\oraymir.PNF

                                              Filesize

                                              11KB

                                              MD5

                                              702914d1da046dda226127ad4989b0fb

                                              SHA1

                                              cf1493e6ec4965122528ac0492fe514f9d7c27c6

                                              SHA256

                                              42257cd55ed0f709bc5eaecac81648f76d5d6c5168128f2960fd8d75b7046dd3

                                              SHA512

                                              2882a8a1c8ad8a44af52c6b50fa02d5a7fad8fce9518c9c9a9592a67b524bd9e687b16cc604b4d30fd468f12b098af0f46b9b461f7c2d2d3e28fb095fa179b39

                                            • C:\Windows\System32\DriverStore\INFCACHE.1

                                              Filesize

                                              1.4MB

                                              MD5

                                              1bd7beca4338b9cf377c3ba60e3171bd

                                              SHA1

                                              c04be255cca75710ea0e21cf18f4363b19df8bd0

                                              SHA256

                                              89f49dfc5317c97f8b0e066db52a25a9a130517e75abe1ba14593162b6ee2c4e

                                              SHA512

                                              72a125493cd8daf6842c64e895b8a3b3f240df44d7a6d8e166f7672e62c54ebdfed7edcc1b4db564785965fdf8e1952dd5ed4b304e211d2dd5c661bd8822e04c

                                            • C:\Windows\TEMP\dnscache.json

                                              Filesize

                                              320B

                                              MD5

                                              8dfaa7511926b0c727c97c8d54c826d1

                                              SHA1

                                              d36f86a9ac8f2a5c13d45fc29bc7786ca6a5271c

                                              SHA256

                                              df8981a8011b2cb289db1f3a0cc97f883b5704958126b56185846e413ae72b18

                                              SHA512

                                              670419ed2c2fab5448f368343f24f699a7b307bf9fd8b98b556bdf4c8bdd8fade9bbf3c220823b26f9fefa1d513f7c6010fade015aecfcdeceba42b7d5873ea8

                                            • C:\Windows\inf\oem2.PNF

                                              Filesize

                                              11KB

                                              MD5

                                              c0f1f6139f9f0233dff9554b1c8abe76

                                              SHA1

                                              674e8611cdb50499bb5d1c8f07c27e98a451937b

                                              SHA256

                                              8d72208721b65928dfb62c9cfdacfbcc99b6e745fa93816edfc0e7ae73dd6765

                                              SHA512

                                              b6174d31b35aaafdc8264812efa43e3baadcfde7686c82b130ec39bb21705982d890f42554f68df7066048caef510f4bcaaa0c99f1ef82166d9466ca91b54fb4

                                            • \??\c:\PROGRA~1\oray\sunlogin\SUNLOG~1\driver\mirror64\OrayMir.dll

                                              Filesize

                                              34KB

                                              MD5

                                              d275259c36eb1ee4f8eaaa9d2306d5c2

                                              SHA1

                                              695648ddc5ac38d11e9f62bd033e68b4404e57f9

                                              SHA256

                                              96dc4482f0d4f04d760efccb42941161fe8f16f4f347716baf361f7320c4be3e

                                              SHA512

                                              1d53b55d7edffd277ed366c44917bcfbd0caf1bf26c2c32b647a4984670223750b4a61310ca3f3dbf87edf9bc919857cc2e3fd766ec6c2971fd9c3ad422d4f13

                                            • \??\c:\PROGRA~1\oray\sunlogin\SUNLOG~1\driver\mirror64\OrayMir.sys

                                              Filesize

                                              11KB

                                              MD5

                                              8a61a25d7748f902ec39976f3a4ccf55

                                              SHA1

                                              ed4855800b3f23170769ddd1e78895e735de055a

                                              SHA256

                                              65ef006e05e84940d6ef9af40f08916850c9dfb9085e46ebca71ce51599a74dd

                                              SHA512

                                              df79bbb99300024089a44e9709b3a6c3051f7ccfe7aabfa5e29ecae8efa23829dc59b9b74a22a8d6ebc7f916a6912bfb4134900adb31a006b9db68fbd0425867

                                            • \??\c:\PROGRA~1\oray\sunlogin\SUNLOG~1\driver\mirror64\omirhelp.dll

                                              Filesize

                                              12KB

                                              MD5

                                              5d9dda258886185776c6cb3e13a01d44

                                              SHA1

                                              bcd0e0d157d6a0b21e961d6033ab01a7226db326

                                              SHA256

                                              4e2a1034dc4805e7ae16ca391a67ab6edb04f3f559489eec56523cf8c9704e33

                                              SHA512

                                              78508609212732015f32b53d6e05cf5efc2c17da407cfa116ab5341f9f3efa9ec810afa38c537894fd48b574ee9c1dfc1e7a3a918000a84b62e55a119d3b6b58

                                            • \??\c:\program files\oray\sunlogin\sunloginclient\driver\mirror64\OrayMirX64.cat

                                              Filesize

                                              8KB

                                              MD5

                                              e5f70fae718ee6c8145292c5736f4e94

                                              SHA1

                                              09fb9b337f5c095c7c36f6bb7028274024c1f461

                                              SHA256

                                              301603d8e4544412146e72773ed1e827897411a8dd6bb55d91db69658be66a6b

                                              SHA512

                                              d2210947b9ebdfabd1db65d96173e77c75aabce3cae016924b60e683845f695e1b5d53cf44de07733f3b55772005ca2f521fbf7d4f02d6d89b071743b201bdbe

                                            • \Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe

                                              Filesize

                                              832KB

                                              MD5

                                              d305d506c0095df8af223ac7d91ca327

                                              SHA1

                                              679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

                                              SHA256

                                              923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

                                              SHA512

                                              94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

                                            • memory/728-371-0x0000000000030000-0x0000000000CD8000-memory.dmp

                                              Filesize

                                              12.7MB

                                            • memory/824-12-0x0000000000300000-0x0000000000310000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/1212-50-0x000000013F0E0000-0x00000001400E0000-memory.dmp

                                              Filesize

                                              16.0MB

                                            • memory/1300-377-0x000000013F8C0000-0x00000001408C0000-memory.dmp

                                              Filesize

                                              16.0MB

                                            • memory/1948-18-0x00000000023B0000-0x00000000023B8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1948-17-0x000000001B570000-0x000000001B852000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2644-179-0x000000013F070000-0x0000000140070000-memory.dmp

                                              Filesize

                                              16.0MB

                                            • memory/2984-48-0x000000002B090000-0x000000002B0BC000-memory.dmp

                                              Filesize

                                              176KB