2bd63252d1eeec4888e0674d52d5dfa80bd69d8accd64f7fb1ea6bdcbe9d4a61

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/10/2024, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yuanchangkuirr-intrallar.msi
Size

72.3MB
MD5

31e8ef3c0591e3ce82cb1c43fb6459c2
SHA1

2adc3a5470d7e7507c60e6bf88d86985b2d3a7b9
SHA256

9e0543dbde32aeacb27324fc070be63ae7bf679fbe69a4836e3dab627812a7b8
SHA512

c1607b5a051fe034378dee8c27aca1effbdf4ab985a500160f2260403bace6f5575117e73a21878ec3f88d1bde49f56cc99184012cb66d1cb2bdc2a7defb4994
SSDEEP

1572864:DNDFH5QOjDdexAgZt/qNOU1bpJh11+exX8t6iwwdM1ZE0d+LH:1xjDdKAqFqQCJh11/xYP50d+7

Score

8^/10

discovery evasion execution persistence privilege_escalation upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1948	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\SETC554.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\OrayMir.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETC554.tmp	DrvInst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunloginClient = "\"C:\\Program Files\\Oray\\SunLogin\\SunloginClient\\SunloginClient.exe\" --cmd=autorun"	SunloginClient15544x64.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Modifies Windows Firewall 2 TTPs 26 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1520	netsh.exe
2364	netsh.exe
3000	netsh.exe
2840	netsh.exe
320	netsh.exe
888	netsh.exe
2244	netsh.exe
1704	netsh.exe
2280	netsh.exe
1688	netsh.exe
1860	netsh.exe
284	netsh.exe
2660	netsh.exe
2488	netsh.exe
2104	netsh.exe
2188	netsh.exe
2064	netsh.exe
2196	netsh.exe
2576	netsh.exe
2200	netsh.exe
1272	netsh.exe
1996	netsh.exe
684	netsh.exe
2036	netsh.exe
944	netsh.exe
1316	netsh.exe

Drops file in System32 directory 34 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\OrayMirX64.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\OrayMir.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\OrayMir.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\SETC543.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	devcon.exe
File opened for modification	C:\Windows\system32\OrayMir.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\omirhelp.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oraymir.inf_amd64_neutral_4576e987d6279a34\oraymir.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18D.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\omirhelp.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\oraymir.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7c396eed-5691-76b0-44b5-455981e99927}\SETC18F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oraymir.inf_amd64_neutral_4576e987d6279a34\oraymir.PNF	DrvInst.exe
File created	C:\Windows\system32\SETC504.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\SETC504.tmp	DrvInst.exe
File created	C:\Windows\system32\SETC543.tmp	DrvInst.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1212-50-0x000000013F0E0000-0x00000001400E0000-memory.dmp	upx
behavioral1/memory/2644-179-0x000000013F070000-0x0000000140070000-memory.dmp	upx
behavioral1/files/0x000500000001c8a0-316.dat	upx
behavioral1/memory/728-371-0x0000000000030000-0x0000000000CD8000-memory.dmp	upx
behavioral1/memory/1300-377-0x000000013F8C0000-0x00000001408C0000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oray\SunLogin\SunloginClient\athr_swoi.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-control-ssh.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\log\sunlogin_service.20241023-021007.log	SunloginClient.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer	fUsKbQztGnwa.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-audio.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-cmd.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-ortc.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-usbip.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe	SunloginClient.exe
File opened for modification	C:\Program Files\Oray\SunLogin\SunloginClient\config.ini	SunloginClient.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\Mirror64\OrayMir.sys	SunloginClient15544x64.exe
File created	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe	KXwXckjFEiVp.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\DpmsMonitor64\oraydpmsx64.cat	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBVHCI\x64\OrayUSBVHCI.sys	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-camera.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-control-camera.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\log\shell.20241023-021022.log	SunloginClient.exe
File created	C:\Program Files\AnalyzeGentleExplorer\common_clang32.dll	msiexec.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\Idd64\orayidddriver.cat	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\Print64\OrayPrint.inf	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\Print64\OrayPrintProcessor.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\VGC64\OrayVGC.inf	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\Vhid64\orayvhid.sys	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-file.dll	SunloginClient15544x64.exe
File opened for modification	C:\Program Files\Oray\SunLogin\SunloginClient\log\history.log	SunloginClient.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe	KXwXckjFEiVp.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-codec.dll	SunloginClient15544x64.exe
File created	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa	KXwXckjFEiVp.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\DpmsMonitor64\oraydpms.inf	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\Mirror64\devcon.exe	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\Mirror64\omirhelp.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\CopyRights.txt	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-control-file.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-net-p2p.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient_Test.zip	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\RCHook.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-control-desktop.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\Vhid64\orayvhidkmdf.sys	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe	SunloginClient15544x64.exe
File opened for modification	C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\Modules_Test.zip	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\Idd64\OrayIddDriver.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBStub\x64\OrayUSBStub.sys	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBVHCI\x64\orayusbvhci.cat	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\Vhid64\orayvhid.cat	SunloginClient15544x64.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.xml	KXwXckjFEiVp.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-control-cmd.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-desktop.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\Mirror64\oraymirx64.cat	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBVHCI\x64\OrayUSBVHCI.inf	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\VGC64\OrayVGC.sys	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\Vhid64\devcon.exe	SunloginClient15544x64.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa	KXwXckjFEiVp.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\itmprc\ssh.exe	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\sunlogin_guard\64\sunlogin_guard.exe	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-rdp.dll	SunloginClient15544x64.exe
File created	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.xml	KXwXckjFEiVp.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBMon\x64\OrayUSBMon.sys	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\plugins\sl-client-saddc.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\log\sunlogin_service_watch.20241023-021007.log	SunloginClient.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBMon\x64\orayusbmon.cat	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\DIFxAPI.x64.dll	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\OrayUSBStub\x64\orayusbstub.cat	SunloginClient15544x64.exe
File created	C:\Program Files\Oray\SunLogin\SunloginClient\driver\Print64\orayprint.cat	SunloginClient15544x64.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f771575.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f771577.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\Installer\f771574.msi	msiexec.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\Installer\f771574.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16CB.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	devcon.exe
File opened for modification	C:\Windows\setuperr.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f771575.ipi	msiexec.exe
File opened for modification	C:\Windows\setupact.log	devcon.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Executes dropped EXE 12 IoCs

pid	Process
764	KXwXckjFEiVp.exe
2984	fUsKbQztGnwa.exe
1212	SunloginClient15544x64.exe
1752	SunloginClient15544x64.exe
2644	SunloginClient.exe
2032	devcon.exe
1300	SunloginClient.exe
1704	SunloginClient.exe
728	sunlogin_guard.exe
2980	SunloginClient.exe
2732	SunloginClient.exe
2840	SunloginClient.exe

Loads dropped DLL 14 IoCs

pid	Process
824	MsiExec.exe
2984	fUsKbQztGnwa.exe
2984	fUsKbQztGnwa.exe
1752	SunloginClient15544x64.exe
1752	SunloginClient15544x64.exe
1752	SunloginClient15544x64.exe
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
2644	SunloginClient.exe
2644	SunloginClient.exe
1300	SunloginClient.exe
2932	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2420	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fUsKbQztGnwa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KXwXckjFEiVp.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2392	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	SunloginClient15544x64.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	devcon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001	SunloginClient15544x64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\System	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	SunloginClient.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\PackageName = "yuanchangkuirr-intrallar.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Version = "67567622"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C6BDC420EDD7D3E42A4DC9EAE81B4DFB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\PackageCode = "16365A16AE1FE094B86DB5BC2E221855"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C19253CA00EB68D488C5FD8D3377BD29\C6BDC420EDD7D3E42A4DC9EAE81B4DFB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\ProductName = "AnalyzeGentleExplorer"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C19253CA00EB68D488C5FD8D3377BD29	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
792	msiexec.exe
792	msiexec.exe
1948	powershell.exe
2984	fUsKbQztGnwa.exe
1752	SunloginClient15544x64.exe
1752	SunloginClient15544x64.exe
1752	SunloginClient15544x64.exe
1752	SunloginClient15544x64.exe
1752	SunloginClient15544x64.exe
1752	SunloginClient15544x64.exe
1752	SunloginClient15544x64.exe
1752	SunloginClient15544x64.exe
1300	SunloginClient.exe
1300	SunloginClient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2420	msiexec.exe
Token: SeRestorePrivilege	792	msiexec.exe
Token: SeTakeOwnershipPrivilege	792	msiexec.exe
Token: SeSecurityPrivilege	792	msiexec.exe
Token: SeCreateTokenPrivilege	2420	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2420	msiexec.exe
Token: SeLockMemoryPrivilege	2420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2420	msiexec.exe
Token: SeMachineAccountPrivilege	2420	msiexec.exe
Token: SeTcbPrivilege	2420	msiexec.exe
Token: SeSecurityPrivilege	2420	msiexec.exe
Token: SeTakeOwnershipPrivilege	2420	msiexec.exe
Token: SeLoadDriverPrivilege	2420	msiexec.exe
Token: SeSystemProfilePrivilege	2420	msiexec.exe
Token: SeSystemtimePrivilege	2420	msiexec.exe
Token: SeProfSingleProcessPrivilege	2420	msiexec.exe
Token: SeIncBasePriorityPrivilege	2420	msiexec.exe
Token: SeCreatePagefilePrivilege	2420	msiexec.exe
Token: SeCreatePermanentPrivilege	2420	msiexec.exe
Token: SeBackupPrivilege	2420	msiexec.exe
Token: SeRestorePrivilege	2420	msiexec.exe
Token: SeShutdownPrivilege	2420	msiexec.exe
Token: SeDebugPrivilege	2420	msiexec.exe
Token: SeAuditPrivilege	2420	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2420	msiexec.exe
Token: SeChangeNotifyPrivilege	2420	msiexec.exe
Token: SeRemoteShutdownPrivilege	2420	msiexec.exe
Token: SeUndockPrivilege	2420	msiexec.exe
Token: SeSyncAgentPrivilege	2420	msiexec.exe
Token: SeEnableDelegationPrivilege	2420	msiexec.exe
Token: SeManageVolumePrivilege	2420	msiexec.exe
Token: SeImpersonatePrivilege	2420	msiexec.exe
Token: SeCreateGlobalPrivilege	2420	msiexec.exe
Token: SeBackupPrivilege	2120	vssvc.exe
Token: SeRestorePrivilege	2120	vssvc.exe
Token: SeAuditPrivilege	2120	vssvc.exe
Token: SeBackupPrivilege	792	msiexec.exe
Token: SeRestorePrivilege	792	msiexec.exe
Token: SeRestorePrivilege	2820	DrvInst.exe
Token: SeRestorePrivilege	2820	DrvInst.exe
Token: SeRestorePrivilege	2820	DrvInst.exe
Token: SeRestorePrivilege	2820	DrvInst.exe
Token: SeRestorePrivilege	2820	DrvInst.exe
Token: SeRestorePrivilege	2820	DrvInst.exe
Token: SeRestorePrivilege	2820	DrvInst.exe
Token: SeLoadDriverPrivilege	2820	DrvInst.exe
Token: SeLoadDriverPrivilege	2820	DrvInst.exe
Token: SeLoadDriverPrivilege	2820	DrvInst.exe
Token: SeRestorePrivilege	792	msiexec.exe
Token: SeTakeOwnershipPrivilege	792	msiexec.exe
Token: SeRestorePrivilege	792	msiexec.exe
Token: SeTakeOwnershipPrivilege	792	msiexec.exe
Token: SeRestorePrivilege	792	msiexec.exe
Token: SeTakeOwnershipPrivilege	792	msiexec.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeRestorePrivilege	764	KXwXckjFEiVp.exe
Token: 35	764	KXwXckjFEiVp.exe
Token: SeSecurityPrivilege	764	KXwXckjFEiVp.exe
Token: SeSecurityPrivilege	764	KXwXckjFEiVp.exe
Token: SeRestorePrivilege	792	msiexec.exe
Token: SeTakeOwnershipPrivilege	792	msiexec.exe
Token: SeRestorePrivilege	792	msiexec.exe
Token: SeTakeOwnershipPrivilege	792	msiexec.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2420	msiexec.exe
2420	msiexec.exe
1752	SunloginClient15544x64.exe
2732	SunloginClient.exe
2732	SunloginClient.exe
2732	SunloginClient.exe
2732	SunloginClient.exe
2732	SunloginClient.exe
2732	SunloginClient.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2732	SunloginClient.exe
2732	SunloginClient.exe
2732	SunloginClient.exe
2732	SunloginClient.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1752	SunloginClient15544x64.exe
2732	SunloginClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 824	792	msiexec.exe	35
PID 792 wrote to memory of 824	792	msiexec.exe	35
PID 792 wrote to memory of 824	792	msiexec.exe	35
PID 792 wrote to memory of 824	792	msiexec.exe	35
PID 792 wrote to memory of 824	792	msiexec.exe	35
PID 824 wrote to memory of 1948	824	MsiExec.exe	37
PID 824 wrote to memory of 1948	824	MsiExec.exe	37
PID 824 wrote to memory of 1948	824	MsiExec.exe	37
PID 824 wrote to memory of 764	824	MsiExec.exe	39
PID 824 wrote to memory of 764	824	MsiExec.exe	39
PID 824 wrote to memory of 764	824	MsiExec.exe	39
PID 824 wrote to memory of 764	824	MsiExec.exe	39
PID 824 wrote to memory of 2984	824	MsiExec.exe	41
PID 824 wrote to memory of 2984	824	MsiExec.exe	41
PID 824 wrote to memory of 2984	824	MsiExec.exe	41
PID 824 wrote to memory of 2984	824	MsiExec.exe	41
PID 824 wrote to memory of 1212	824	MsiExec.exe	42
PID 824 wrote to memory of 1212	824	MsiExec.exe	42
PID 824 wrote to memory of 1212	824	MsiExec.exe	42
PID 1212 wrote to memory of 1752	1212	SunloginClient15544x64.exe	43
PID 1212 wrote to memory of 1752	1212	SunloginClient15544x64.exe	43
PID 1212 wrote to memory of 1752	1212	SunloginClient15544x64.exe	43
PID 1752 wrote to memory of 2060	1752	SunloginClient15544x64.exe	44
PID 1752 wrote to memory of 2060	1752	SunloginClient15544x64.exe	44
PID 1752 wrote to memory of 2060	1752	SunloginClient15544x64.exe	44
PID 2060 wrote to memory of 2340	2060	cmd.exe	46
PID 2060 wrote to memory of 2340	2060	cmd.exe	46
PID 2060 wrote to memory of 2340	2060	cmd.exe	46
PID 2060 wrote to memory of 1964	2060	cmd.exe	47
PID 2060 wrote to memory of 1964	2060	cmd.exe	47
PID 2060 wrote to memory of 1964	2060	cmd.exe	47
PID 1964 wrote to memory of 2840	1964	cmd.exe	48
PID 1964 wrote to memory of 2840	1964	cmd.exe	48
PID 1964 wrote to memory of 2840	1964	cmd.exe	48
PID 2060 wrote to memory of 2912	2060	cmd.exe	49
PID 2060 wrote to memory of 2912	2060	cmd.exe	49
PID 2060 wrote to memory of 2912	2060	cmd.exe	49
PID 2912 wrote to memory of 320	2912	cmd.exe	50
PID 2912 wrote to memory of 320	2912	cmd.exe	50
PID 2912 wrote to memory of 320	2912	cmd.exe	50
PID 2060 wrote to memory of 3036	2060	cmd.exe	52
PID 2060 wrote to memory of 3036	2060	cmd.exe	52
PID 2060 wrote to memory of 3036	2060	cmd.exe	52
PID 3036 wrote to memory of 2104	3036	cmd.exe	53
PID 3036 wrote to memory of 2104	3036	cmd.exe	53
PID 3036 wrote to memory of 2104	3036	cmd.exe	53
PID 2060 wrote to memory of 2708	2060	cmd.exe	54
PID 2060 wrote to memory of 2708	2060	cmd.exe	54
PID 2060 wrote to memory of 2708	2060	cmd.exe	54
PID 2708 wrote to memory of 2188	2708	cmd.exe	55
PID 2708 wrote to memory of 2188	2708	cmd.exe	55
PID 2708 wrote to memory of 2188	2708	cmd.exe	55
PID 2060 wrote to memory of 664	2060	cmd.exe	56
PID 2060 wrote to memory of 664	2060	cmd.exe	56
PID 2060 wrote to memory of 664	2060	cmd.exe	56
PID 664 wrote to memory of 1272	664	cmd.exe	57
PID 664 wrote to memory of 1272	664	cmd.exe	57
PID 664 wrote to memory of 1272	664	cmd.exe	57
PID 2060 wrote to memory of 344	2060	cmd.exe	58
PID 2060 wrote to memory of 344	2060	cmd.exe	58
PID 2060 wrote to memory of 344	2060	cmd.exe	58
PID 344 wrote to memory of 1996	344	cmd.exe	59
PID 344 wrote to memory of 1996	344	cmd.exe	59
PID 344 wrote to memory of 1996	344	cmd.exe	59

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\yuanchangkuirr-intrallar.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2420

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 33DB54815138BAD999151C85A70EC9F1 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\AnalyzeGentleExplorer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe
    "C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe" x "C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO" -o"C:\Program Files\AnalyzeGentleExplorer\" -pjMgmEjeKlhGKaGgJyBsZ -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- - C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe
    "C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe" -number 105 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2984
- - C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe
    "C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe
      "C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe" --mod=install --admin=1
      4⤵
      Adds Run key to start application
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\system32\cmd.exe
        
        cmd /c install.bat SunloginClient
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        6⤵
        
        PID:2340
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall delete rule name="SunloginClient"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name="SunloginClient"
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:2840
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=public
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=public
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:320
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=public
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=public
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:2104
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=public
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=public
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2188
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=public
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=public
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1272
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=domain
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=domain
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:1996
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=domain
        6⤵
        
        PID:2516
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=domain
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:684
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=domain
        6⤵
        
        PID:408
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=domain
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:888
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=domain
        6⤵
        
        PID:2204
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=domain
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:2244
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=private
        6⤵
        
        PID:2404
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=private
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1860
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=private
        6⤵
        
        PID:1712
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginClient" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=private
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:1704
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=private
        6⤵
        
        PID:1744
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=tcp enable=yes profile=private
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:2036
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=private
        6⤵
        
        PID:3024
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginClient" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" protocol=udp enable=yes profile=private
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:1520
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall delete rule name="SunloginDesktopAgent"
        6⤵
        
        PID:936
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name="SunloginDesktopAgent"
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:944
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=public
        6⤵
        
        PID:1932
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=public
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:2196
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=public
        6⤵
        
        PID:2320
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=public
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:284
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=public
        6⤵
        
        PID:1452
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=public
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2364
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=public
        6⤵
        
        PID:2868
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=public
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:2660
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=domain
        6⤵
        
        PID:1724
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=domain
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2488
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=domain
        6⤵
        
        PID:740
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=domain
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2576
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=domain
        6⤵
        
        PID:1052
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=domain
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:3000
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=domain
        6⤵
        
        PID:876
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=domain
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2280
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=private
        6⤵
        
        PID:1548
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=private
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1688
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=private
        6⤵
        
        PID:2988
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=in action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=private
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2200
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=private
        6⤵
        
        PID:3004
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=tcp enable=yes profile=private
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        Modifies data under HKEY_USERS
        
        PID:2064
      - C:\Windows\system32\cmd.exe
        
        cmd /c netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=private
        6⤵
        
        PID:2772
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="SunloginDesktopAgent" dir=out action=allow program="C:\Program Files\Oray\SunLogin\SunloginClient\agent\SunloginClient.exe" protocol=udp enable=yes profile=private
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1316
    - - C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe
        
        "C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=install --cmd=driver_mirror
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:2644
      - C:\Program Files\Oray\SunLogin\SunloginClient\Driver\Mirror64\devcon.exe
        
        "C:\Program Files\Oray\SunLogin\SunloginClient\Driver\Mirror64\devcon.exe" reinstall "C:\Program Files\Oray\SunLogin\SunloginClient\Driver\Mirror64\OrayMir.inf" C50B00D7-AE62-4936-8BC8-20E0B9F0BEFB
        6⤵
        Drops file in System32 directory
        Drops file in Windows directory
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2032
    - - C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe
        
        "C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --admin=1 --first_install=1
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2732
      - C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe
        
        "C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=helper --cmd=cuda_check
        6⤵
        Executes dropped EXE
        
        PID:2840
      - C:\Windows\system32\taskkill.exe
        
        taskkill /IM OrayAI.exe /F
        6⤵
        Kills process with taskkill
        
        PID:2392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000490" "00000000000005A4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5d00ecd6-f2d4-257f-3feb-816b669c4154}\oraymir.inf" "9" "6e6179ed3" "0000000000000584" "WinSta0\Default" "00000000000005DC" "208" "c:\program files\oray\sunlogin\sunloginclient\driver\mirror64"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2968

C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe
"C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=service
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1300
- C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe
  "C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=watch --pid=1300
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:1704
- C:\Program Files\Oray\SunLogin\SunloginClient\sunlogin_guard\64\sunlogin_guard.exe
  "C:\Program Files\Oray\SunLogin\SunloginClient\sunlogin_guard\64\sunlogin_guard.exe" start -mode worker -server api-ti.sunlogin.oray.com -sunlogin -appname "Global\966DDA87-F543-42B4-B6CE-A1225068B7C7" -client_id "" -uid 0 -ua "SLRC/15.6.8.15544 (Windows,x64,appname=sunloginRemoteClient)"
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe
  "C:\Program Files\Oray\SunLogin\SunloginClient\SunloginClient.exe" --mod=update --cmd=check
  2⤵
  - Executes dropped EXE
  PID:2980

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\DISPLAY\0000" "C:\Windows\INF\oem2.inf" "oraymir.inf:Oray.NTamd64:OrayMir_Inst:1.0.1.17485:c50b00d7-ae62-4936-8bc8-20e0b9f0befb" "6e6179ed3" "00000000000003E8" "0000000000000594" "00000000000005A4"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f771576.rbs

Filesize
7KB

MD5
d4ce8ad909ff9a2af13715e0316574b8

SHA1
2ce30e86211d39c4a1fdc602cc257c55610f0860

SHA256
035c48716804b1c18133e07a52a6bdb1e82eb6fa01f5c5dec40188e2a4ae911f

SHA512
119ab697e13497afbebd63988c3af123ff13d639a3d17165e3390ee9facca4a8ced3163a49ec37f0ee49f1529f31004bde009df5d3cba70b3c2700f93c5cb6d3

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe

Filesize
577KB

MD5
11fa744ebf6a17d7dd3c58dc2603046d

SHA1
d99de792fd08db53bb552cd28f0080137274f897

SHA256
1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

SHA512
424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

Download Submit
C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe

Filesize
2.9MB

MD5
a2e29c5a531ca5fdf5d4c7e75ba2748c

SHA1
1709ea8be99923c6ee4eb369e3971e3522d67f36

SHA256
ef86954f2831682faf3655901cf82afe0d7d6fc62e8335a2f508af5d03f03d5c

SHA512
e4fee7e410f8f199aa79f014290c0312d720fdb92a6efc48db5badea4fa4610bf344f23d3b7516b2a0e181aa8b27b00e446665a83de4b2d0acfa2e664df64434

Download Submit
C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO

Filesize
2.1MB

MD5
5aba1a676ca0de4994c623060e05f946

SHA1
e792c676bdbecd6baf1516fd3adbba06764aec98

SHA256
0a9d3dee1cf01c5f909c19e2821975397106b70581bc32c845ae9ef584bd1c32

SHA512
55bc57941e1f76844881eecd56f65b35c2f7eff614a02a47a0f6b5ab41d2a4512b9b970fd658652b8fc56a07a78b46ce2c246798d82f5d256a80f5025ac5d6b4

Download Submit
C:\Program Files\Oray\SunLogin\SunloginClient\Driver\Mirror64\OrayMir.inf

Filesize
2KB

MD5
7f40a58b00a40048eb31761519dece03

SHA1
b84ceb5cd8206ab32ef276d96331709b016e90e7

SHA256
911aebeb980746cc03083cf720ecb2f5f0d62e731cb84c207524f1dd7849abf6

SHA512
037346ba9fc3916fe21f86cf5d3df39677f0cc24f250b33b3e6e7e8193f0e01342f3b95a5ebbccea9eb6888f36b78dfcc6f2987ca6d0db8593444b73f7fe3a93

Download Submit
C:\Program Files\Oray\SunLogin\SunloginClient\Driver\Mirror64\devcon.exe

Filesize
88KB

MD5
c03c7874fb9b3d79f6d96177e87c323f

SHA1
05c0a54a248ae8e2391f8d316dc0976493f4a7b6

SHA256
33f3be5e34b1b354e1498a94618df6ffafbd6fa86b02d31511fffb1335b0aeb9

SHA512
744fd306372508af97987a2435e0492dd27e90453ee1dbb7eb6343318b9e221e2a28b2599c8ac19d1dda34c1b93d75301967e711813f3ba65fbd0d939b9238a3

Download Submit
C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

Filesize
62B

MD5
b893e9975b295835d1655111050c5f7c

SHA1
e736c52cbef70e3f1564f364640c5bfe6437553f

SHA256
b5daaa1c34505f56dcf46eea254970c1d53c8b80194bdfc562fb11ec73782b9c

SHA512
6cbba913c806abe03f3f538f65436bdbfdd80fcc0bc13b2581e0015f47a2f69822fcffc247a4c37e74ba9958082de600674f93ddd1f0923b2e5f05cd9de3ea68

Download Submit
C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

Filesize
211B

MD5
efe9917b7d0685d27e74fdb389f6843d

SHA1
9c396e7c397c12e9cdb8cb018937f2472b406cc0

SHA256
9d0c7a00ff482092919ca8c7e9ad28e8a5ca26811bc4c4e1f4916841a5cea845

SHA512
9fdc3787b68f08e37df82da9bb9ce89463c8a6acae8b15e35f7016ebe9dd74c611ea2cc438bffaf3cab05ff1513bb241487a65aa4c6f422216a1fddf7ecaca21

Download Submit
C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

Filesize
228B

MD5
01c33aed5b01ca8df9a4d76053b664fe

SHA1
7b24322f7b67ec6fb08d720b0b3011bb3f06c9b5

SHA256
b1018b299f3b10a5014ec1755915b005087e390eb1a2e9a097e2becf3a93ea66

SHA512
8a8dbb175147ca7afe9b2dce990c2316587cb314a9b59617a41f701dd4ad92080d9cf5c92b5bc33b0723d05ec48326b535978f1333abd7a8efba6d1ef385cee9

Download Submit
C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

Filesize
497B

MD5
873c24f09dc0d3890261be13fa8afb55

SHA1
d83afa23c380abf51769fb48e131936cf7407269

SHA256
d32c0c2aa60f8ed2c4ca6797a6f9ad2eadd07cd45788636a85353348d83e3044

SHA512
26ce086de6857af8d8a4c6e2e0d9a17644e2f6defd0c94a27247d6e4f7bd7a0a85da48bc794c7216b8decb9ce4b5b8edea5044c62168d52574f3ab86cf458983

Download Submit
C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

Filesize
555B

MD5
78ce63e3e76cb76ac31d9570cd32c8fc

SHA1
7aa5d32e6b5fb3f0ebf7365298c3e62048d2940e

SHA256
53be326c5efa7035cf662a6ece6ae7f00ec7ebbe22a53d53a3306f20362954be

SHA512
eb5c67e14f82351a7b1e3fb5532718e6bd25bf822c45105a79e5927ac4294aede45fa9df47231946f88f4565c55fa583b1caceb67b13c659185c8e505b4ef920

Download Submit
C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

Filesize
577B

MD5
7500261c6220e22c53ccd16a73f2ce49

SHA1
62fe5f6f7ecfa5940613100c954e58919f60b39c

SHA256
b6cdf38887f8d196b27dd9a7c06a8f56c3a75fbbe183352b881fdff5ca986715

SHA512
3682d7a862ee289f89a221a17bb94916fd8d3615ae5e72e508c41c3f9865710ec7a7f3d9ba40718c891ba2dcd600aef620b262148d9dcb6127a0bed9635cda30

Download Submit
C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

Filesize
606B

MD5
85f5bd3cd500e1b2aeddfa8e9b05d3b0

SHA1
f5adb8d1c266fca7e6ecbee94c66998979012041

SHA256
0c64b94ec59d44b170a713d85d35a04cba730202a57eaf5b463e930fe4b6e06c

SHA512
8d98a8604e9ea05a9e2506a1111e1c3f1df2f8163b4f207310a57f8276aea8f88aa8578ddfb439639c31671aa8ff36bc5be859cce3d8eb6738ad1bb5e22386be

Download Submit
C:\Program Files\Oray\SunLogin\SunloginClient\config.ini

Filesize
617B

MD5
545159d07a91397d527f1a7e961c1dba

SHA1
57e78042b5ff68879f3e464906ad11212d98bfe6

SHA256
655992a2fad31b28346f10211b7a01ba712473a2a302fe916188ca277acba16d

SHA512
9e848d410f94ade2470cad64c6da341a035a9e7f846e23de62737416b665ed7a8447ae0bb22cf0753e84887cdb880b93e7e60920fe42d479d848742650c9d9d1

Download Submit
C:\Program Files\Oray\SunLogin\SunloginClient\install.bat

Filesize
4KB

MD5
fecc9827c5095279cab9ae0527c28be7

SHA1
63839ceeb13e4cfceb04fb35c875127ec4462772

SHA256
77470fac948497f08c40f2d960db3dc3476bda636f176f5ba18eae3f8aec0f4f

SHA512
4014cac462e74ad4b5bf7709efd2ab1506a7936f7b827fdf830420ade707c4729084f723c22e7bcee47ea9fc6e249e255060dbcc9895409566d35d094a827a75

Download Submit
C:\Program Files\Oray\SunLogin\SunloginClient\sunlogin_guard\64\sunlogin_guard.exe

Filesize
6.7MB

MD5
0d7110765f87087a158204a7a09edc4b

SHA1
1299732166ab4b4fd508255a35fcf8ae46d37f12

SHA256
f238cbfba968f9b8d163735166476e45d1cd467312b022522daf45734925ce0b

SHA512
0c7dbcf41ccfc6a564f687cc05b275ed022554e7f2b9e8bb7cf70030b9d87da960686e3550ca8cf3c93f393fe37b0f17aa5e2f3afff5352a0714d1fad5038f14

Download Submit
C:\ProgramData\Oray\SunloginClient\sys_config.ini

Filesize
175B

MD5
8c9fbbbe7b7569139f6ae49e205054f5

SHA1
d18f010691c35dfacc5a5d6ba17d0a5d803e998e

SHA256
787d7b69db310fc95a26ec9cfe427cffcb184cf8975e9d10f24e990dc357837d

SHA512
fd7778b4df7fd4c81f1502b04306b49db5a11ca46390f2e61d1be30098e2e1b990ba4c98591245c6f7f9a87aae7f9c5ade09a8d4cb7cfde6c3b86b1fe552462d

Download Submit
C:\ProgramData\Oray\SunloginClient\sys_config.ini

Filesize
199B

MD5
400b294d1d93a0f2652acd09f9ae9c5e

SHA1
79510519ca410483f2fc172d0ee911e332eac007

SHA256
08c238a5bcd727e68d3bb6bbd5085b5ff5cd327d73fb716d4baa2d1df1a3ff5e

SHA512
63865434593f78b8ef58906e2bef52a5e14b1d6b194901c887bec71193d872efc58ecf57135a13fc034bab8209f086461480e92cbfbc93432d23e43d38b565f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\check_sign_test.log

Filesize
308B

MD5
62c5f47ce270221341589c69ebffe40b

SHA1
b3a4e976b31b298fa24526e21ff693de0ac70112

SHA256
e9b3931fdba77493dcdf4117ea88cd849ff76db2035d7f4f240bb8d9d5925b6c

SHA512
7e34778506c48dfb51c149c452fd623f890cc0d7e01e325cac970b3ffcfe45b68a473fa949b9901cf354aac3971c988053e9c0601f74b2ce2b09c7244d6e63db

Download Submit
C:\Users\Admin\AppData\Local\Temp\check_sign_test.log

Filesize
310B

MD5
c256dc950a96c711ae515ce274a3c38a

SHA1
e2a639888d3faf686be8ac6f811f76e6915228eb

SHA256
930ed7283301dcbaac640c35c47f6febea808e64b6e5bd2f51863551aed2011f

SHA512
24d8f26d83c410182fd6787806d01bcf0742748d00b793d27c55e5795a50d862275e9fa3dd8004935bc7427f1d0946949194c9ee2d8cd8e04e041a4db2051a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnscache.json

Filesize
754B

MD5
93b5d229cb3f84332c9bddf9b363107d

SHA1
85a752d449d700f94c5063df42584d7097966a3d

SHA256
8c47ef5fbcdcc09d1674a83a910da4265cd279ecadbe8039c8885950ab6c4d98

SHA512
b6183fb44e976fd7aba6672ff1877bed2ec8430ec60a9d4ae5e5c13cc386b05440bea2f6ede3c355a2311593dc4ea6a815c504241fc591712ef6b1109fe43282

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oraymir.inf_amd64_neutral_4576e987d6279a34\oraymir.PNF

Filesize
11KB

MD5
702914d1da046dda226127ad4989b0fb

SHA1
cf1493e6ec4965122528ac0492fe514f9d7c27c6

SHA256
42257cd55ed0f709bc5eaecac81648f76d5d6c5168128f2960fd8d75b7046dd3

SHA512
2882a8a1c8ad8a44af52c6b50fa02d5a7fad8fce9518c9c9a9592a67b524bd9e687b16cc604b4d30fd468f12b098af0f46b9b461f7c2d2d3e28fb095fa179b39

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
1bd7beca4338b9cf377c3ba60e3171bd

SHA1
c04be255cca75710ea0e21cf18f4363b19df8bd0

SHA256
89f49dfc5317c97f8b0e066db52a25a9a130517e75abe1ba14593162b6ee2c4e

SHA512
72a125493cd8daf6842c64e895b8a3b3f240df44d7a6d8e166f7672e62c54ebdfed7edcc1b4db564785965fdf8e1952dd5ed4b304e211d2dd5c661bd8822e04c

Download Submit
C:\Windows\TEMP\dnscache.json

Filesize
320B

MD5
8dfaa7511926b0c727c97c8d54c826d1

SHA1
d36f86a9ac8f2a5c13d45fc29bc7786ca6a5271c

SHA256
df8981a8011b2cb289db1f3a0cc97f883b5704958126b56185846e413ae72b18

SHA512
670419ed2c2fab5448f368343f24f699a7b307bf9fd8b98b556bdf4c8bdd8fade9bbf3c220823b26f9fefa1d513f7c6010fade015aecfcdeceba42b7d5873ea8

Download Submit
C:\Windows\inf\oem2.PNF

Filesize
11KB

MD5
c0f1f6139f9f0233dff9554b1c8abe76

SHA1
674e8611cdb50499bb5d1c8f07c27e98a451937b

SHA256
8d72208721b65928dfb62c9cfdacfbcc99b6e745fa93816edfc0e7ae73dd6765

SHA512
b6174d31b35aaafdc8264812efa43e3baadcfde7686c82b130ec39bb21705982d890f42554f68df7066048caef510f4bcaaa0c99f1ef82166d9466ca91b54fb4

Download Submit
\??\c:\PROGRA~1\oray\sunlogin\SUNLOG~1\driver\mirror64\OrayMir.dll

Filesize
34KB

MD5
d275259c36eb1ee4f8eaaa9d2306d5c2

SHA1
695648ddc5ac38d11e9f62bd033e68b4404e57f9

SHA256
96dc4482f0d4f04d760efccb42941161fe8f16f4f347716baf361f7320c4be3e

SHA512
1d53b55d7edffd277ed366c44917bcfbd0caf1bf26c2c32b647a4984670223750b4a61310ca3f3dbf87edf9bc919857cc2e3fd766ec6c2971fd9c3ad422d4f13

Download Submit
\??\c:\PROGRA~1\oray\sunlogin\SUNLOG~1\driver\mirror64\OrayMir.sys

Filesize
11KB

MD5
8a61a25d7748f902ec39976f3a4ccf55

SHA1
ed4855800b3f23170769ddd1e78895e735de055a

SHA256
65ef006e05e84940d6ef9af40f08916850c9dfb9085e46ebca71ce51599a74dd

SHA512
df79bbb99300024089a44e9709b3a6c3051f7ccfe7aabfa5e29ecae8efa23829dc59b9b74a22a8d6ebc7f916a6912bfb4134900adb31a006b9db68fbd0425867

Download Submit
\??\c:\PROGRA~1\oray\sunlogin\SUNLOG~1\driver\mirror64\omirhelp.dll

Filesize
12KB

MD5
5d9dda258886185776c6cb3e13a01d44

SHA1
bcd0e0d157d6a0b21e961d6033ab01a7226db326

SHA256
4e2a1034dc4805e7ae16ca391a67ab6edb04f3f559489eec56523cf8c9704e33

SHA512
78508609212732015f32b53d6e05cf5efc2c17da407cfa116ab5341f9f3efa9ec810afa38c537894fd48b574ee9c1dfc1e7a3a918000a84b62e55a119d3b6b58

Download Submit
\??\c:\program files\oray\sunlogin\sunloginclient\driver\mirror64\OrayMirX64.cat

Filesize
8KB

MD5
e5f70fae718ee6c8145292c5736f4e94

SHA1
09fb9b337f5c095c7c36f6bb7028274024c1f461

SHA256
301603d8e4544412146e72773ed1e827897411a8dd6bb55d91db69658be66a6b

SHA512
d2210947b9ebdfabd1db65d96173e77c75aabce3cae016924b60e683845f695e1b5d53cf44de07733f3b55772005ca2f521fbf7d4f02d6d89b071743b201bdbe

Download Submit
\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
memory/728-371-0x0000000000030000-0x0000000000CD8000-memory.dmp

Filesize
12.7MB

Download
memory/824-12-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1212-50-0x000000013F0E0000-0x00000001400E0000-memory.dmp

Filesize
16.0MB

Download
memory/1300-377-0x000000013F8C0000-0x00000001408C0000-memory.dmp

Filesize
16.0MB

Download
memory/1948-18-0x00000000023B0000-0x00000000023B8000-memory.dmp

Filesize
32KB

Download
memory/1948-17-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2644-179-0x000000013F070000-0x0000000140070000-memory.dmp

Filesize
16.0MB

Download
memory/2984-48-0x000000002B090000-0x000000002B0BC000-memory.dmp

Filesize
176KB

Download