Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:44
Static task
static1
Behavioral task
behavioral1
Sample
OpenIVSetup.exe
Resource
win7-20240215-en
General
-
Target
OpenIVSetup.exe
-
Size
33.0MB
-
MD5
58446a05397f2b391ad66c18ac42dd46
-
SHA1
fbca2ceb4da791983c133d54b44e9f8191b18260
-
SHA256
3683b717c0651a35fe3a0a5cf8a0a20f19e8a848675005fb08d0152b29857616
-
SHA512
f5fb192726a75051bb2cdb101a9ec85bbf7015d70568caacd32d9af64690ae6503c7699d860b611275005c3997de6fae1e4490990a40d12d1a7b836db852d991
-
SSDEEP
786432:JpY72Jimx2oeNm9iePejodLaYLCaYYXTU2vKBorzDa:eUfPeNm9mqHLqYj7a
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 2264 oivsetup-02032024164434.exe 2280 dxwebsetup.exe 2288 dxwsetup.exe 3552 OpenIV.exe -
Loads dropped DLL 14 IoCs
pid Process 2228 OpenIVSetup.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2280 dxwebsetup.exe 2280 dxwebsetup.exe 2280 dxwebsetup.exe 2280 dxwebsetup.exe 2288 dxwsetup.exe 2288 dxwsetup.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dxwebsetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OpenIVSetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oivsetup-02032024164434.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: dxwsetup.exe File opened (read-only) \??\Q: dxwsetup.exe File opened (read-only) \??\B: dxwsetup.exe File opened (read-only) \??\K: dxwsetup.exe File opened (read-only) \??\I: dxwsetup.exe File opened (read-only) \??\J: dxwsetup.exe File opened (read-only) \??\R: dxwsetup.exe File opened (read-only) \??\S: dxwsetup.exe File opened (read-only) \??\V: dxwsetup.exe File opened (read-only) \??\X: dxwsetup.exe File opened (read-only) \??\A: dxwsetup.exe File opened (read-only) \??\G: dxwsetup.exe File opened (read-only) \??\Y: dxwsetup.exe File opened (read-only) \??\Z: dxwsetup.exe File opened (read-only) \??\M: dxwsetup.exe File opened (read-only) \??\N: dxwsetup.exe File opened (read-only) \??\O: dxwsetup.exe File opened (read-only) \??\T: dxwsetup.exe File opened (read-only) \??\E: dxwsetup.exe File opened (read-only) \??\H: dxwsetup.exe File opened (read-only) \??\W: dxwsetup.exe File opened (read-only) \??\L: dxwsetup.exe File opened (read-only) \??\U: dxwsetup.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\directx\websetup\SET4AC7.tmp dxwsetup.exe File created C:\Windows\SysWOW64\directx\websetup\SET4AC7.tmp dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll dxwsetup.exe File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup dxwsetup.exe File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup\filelist.dat dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\SET4AC6.tmp dxwsetup.exe File created C:\Windows\SysWOW64\directx\websetup\SET4AC6.tmp dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll dxwsetup.exe -
Drops file in Windows directory 40 IoCs
description ioc Process File created C:\Windows\msdownld.tmp\AS765977.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS76CF51.tmp dxwsetup.exe File created C:\Windows\msdownld.tmp\AS76D5D7.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\security\logs\scecomp.log dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS76514C.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS766366.tmp dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS767724.tmp\dxupdate.cab dxwsetup.exe File created C:\Windows\msdownld.tmp\AS767E26.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS76B4A1.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS76D5D7.tmp\dxupdate.cab dxwsetup.exe File created C:\Windows\msdownld.tmp\AS76514C.tmp\dxupdate.cab dxwsetup.exe File created C:\Windows\msdownld.tmp\AS766366.tmp\dxupdate.cab dxwsetup.exe File created C:\Windows\msdownld.tmp\AS767724.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS767724.tmp dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS767E26.tmp dxwsetup.exe File created C:\Windows\msdownld.tmp\AS7690BC.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS76B4A1.tmp dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS76514C.tmp dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS765977.tmp dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS76696E.tmp\dxupdate.cab dxwsetup.exe File created C:\Windows\msdownld.tmp\AS76B4A1.tmp\dxupdate.cab dxwsetup.exe File created C:\Windows\msdownld.tmp\AS76CF51.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS76CF51.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS76D5D7.tmp dxwsetup.exe File opened for modification C:\Windows\Logs\DirectX.log dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS765977.tmp\dxupdate.cab dxwsetup.exe File created C:\Windows\msdownld.tmp\AS76696E.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS7690BC.tmp dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS769761.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS769761.tmp dxwsetup.exe File created C:\Windows\msdownld.tmp\AS76AE0C.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS767E26.tmp\dxupdate.cab dxwsetup.exe File created C:\Windows\msdownld.tmp\AS769761.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS76AE0C.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS76AE0C.tmp dxwsetup.exe File opened for modification C:\Windows\INF\setupapi.app.log dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS766366.tmp\dxupdate.cab dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS76696E.tmp dxwsetup.exe File opened for modification C:\Windows\msdownld.tmp\AS7690BC.tmp\dxupdate.cab dxwsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2228 OpenIVSetup.exe 2264 oivsetup-02032024164434.exe 2044 chrome.exe 2044 chrome.exe 2264 oivsetup-02032024164434.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2288 dxwsetup.exe Token: SeRestorePrivilege 2288 dxwsetup.exe Token: SeRestorePrivilege 2288 dxwsetup.exe Token: SeRestorePrivilege 2288 dxwsetup.exe Token: SeRestorePrivilege 2288 dxwsetup.exe Token: SeRestorePrivilege 2288 dxwsetup.exe Token: SeRestorePrivilege 2288 dxwsetup.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe Token: SeShutdownPrivilege 2044 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe 2264 oivsetup-02032024164434.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe 2044 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2264 2228 OpenIVSetup.exe 28 PID 2228 wrote to memory of 2264 2228 OpenIVSetup.exe 28 PID 2228 wrote to memory of 2264 2228 OpenIVSetup.exe 28 PID 2228 wrote to memory of 2264 2228 OpenIVSetup.exe 28 PID 2228 wrote to memory of 2264 2228 OpenIVSetup.exe 28 PID 2228 wrote to memory of 2264 2228 OpenIVSetup.exe 28 PID 2228 wrote to memory of 2264 2228 OpenIVSetup.exe 28 PID 2264 wrote to memory of 2280 2264 oivsetup-02032024164434.exe 29 PID 2264 wrote to memory of 2280 2264 oivsetup-02032024164434.exe 29 PID 2264 wrote to memory of 2280 2264 oivsetup-02032024164434.exe 29 PID 2264 wrote to memory of 2280 2264 oivsetup-02032024164434.exe 29 PID 2264 wrote to memory of 2280 2264 oivsetup-02032024164434.exe 29 PID 2264 wrote to memory of 2280 2264 oivsetup-02032024164434.exe 29 PID 2264 wrote to memory of 2280 2264 oivsetup-02032024164434.exe 29 PID 2280 wrote to memory of 2288 2280 dxwebsetup.exe 30 PID 2280 wrote to memory of 2288 2280 dxwebsetup.exe 30 PID 2280 wrote to memory of 2288 2280 dxwebsetup.exe 30 PID 2280 wrote to memory of 2288 2280 dxwebsetup.exe 30 PID 2280 wrote to memory of 2288 2280 dxwebsetup.exe 30 PID 2280 wrote to memory of 2288 2280 dxwebsetup.exe 30 PID 2280 wrote to memory of 2288 2280 dxwebsetup.exe 30 PID 2044 wrote to memory of 1896 2044 chrome.exe 34 PID 2044 wrote to memory of 1896 2044 chrome.exe 34 PID 2044 wrote to memory of 1896 2044 chrome.exe 34 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1420 2044 chrome.exe 36 PID 2044 wrote to memory of 1160 2044 chrome.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\OpenIVSetup.exe"C:\Users\Admin\AppData\Local\Temp\OpenIVSetup.exe"1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\oivsetup-02032024164434.exe"C:\Users\Admin\AppData\Local\Temp\oivsetup-02032024164434.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\OpenIV Setup_0F762250\dxwebsetup.exe"C:\Users\Admin\AppData\Local\Temp\OpenIV Setup_0F762250\dxwebsetup.exe" /Q3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe /windowsupdate4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6f89758,0x7fef6f89768,0x7fef6f897782⤵PID:1896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1228,i,815600635775845285,16770462689557779490,131072 /prefetch:22⤵PID:1420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1228,i,815600635775845285,16770462689557779490,131072 /prefetch:82⤵PID:1160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1228,i,815600635775845285,16770462689557779490,131072 /prefetch:82⤵PID:1796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1228,i,815600635775845285,16770462689557779490,131072 /prefetch:12⤵PID:2460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1228,i,815600635775845285,16770462689557779490,131072 /prefetch:12⤵PID:2476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1168 --field-trial-handle=1228,i,815600635775845285,16770462689557779490,131072 /prefetch:22⤵PID:1640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1432 --field-trial-handle=1228,i,815600635775845285,16770462689557779490,131072 /prefetch:12⤵PID:1704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 --field-trial-handle=1228,i,815600635775845285,16770462689557779490,131072 /prefetch:82⤵PID:1280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3704 --field-trial-handle=1228,i,815600635775845285,16770462689557779490,131072 /prefetch:12⤵PID:2432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 --field-trial-handle=1228,i,815600635775845285,16770462689557779490,131072 /prefetch:82⤵PID:1664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3996 --field-trial-handle=1228,i,815600635775845285,16770462689557779490,131072 /prefetch:12⤵PID:1728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3456 --field-trial-handle=1228,i,815600635775845285,16770462689557779490,131072 /prefetch:12⤵PID:2800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3808 --field-trial-handle=1228,i,815600635775845285,16770462689557779490,131072 /prefetch:12⤵PID:2360
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2360
-
C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe"C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe"1⤵
- Executes dropped EXE
PID:3552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5367ccf02be43b3237a4556e8ccb7df54
SHA1f81098ce86166319bba6bef75d24b65dc144d792
SHA256e9f5c2e2d23f57752c03d1f6f64afa9da9e1a7f6e35c0d923d44c91a1731845d
SHA51256e6dd85bf9c91b7ea83d512b22b35512f8de03e39e59973e94e41acefcdb17fb3735ad2809b4b09f10774e8148cbe35ff03818de87d7634cbea0ffeaae5533d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e5ac7c20a5b55ef9fd48c9c5c842230d
SHA1460b47b431a9cd91c35147e312d4c3f473836a16
SHA256a431c8aa25ff6b58f633c191a932c974ad7fc0bce540f0f8d5fadb88165cdfa8
SHA51264896d56f3e3fe0a8d20164d51e371005aef57262989d980c8067a5eba3e221e1a4940413320cfa054131998390cbd7ad89a8979b5e73a0e7d98812c566ee2ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e6dc452f068a5c923e27a880e07aca15
SHA195b40307a64b8a3f294afb179bbdc5221c876939
SHA256f0ee94ea71e34e54ace4ab9573360d07125be7fb64583d53d7a4af76f78d7502
SHA51238fb09fa6b40b6bbaa180182e4688a4646bdccac973659aebf132b906b106408afc9030a36fa055c09b2d111dbaed774a5094aa2f27388fc0953b61e4ad17038
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50623d79d08511c8aec635f70792444c2
SHA16f3088c1dc48c0f621fdd18767a908860443ffda
SHA2560859b1c69a1fc48a87a1d8edf7360a41f21a38f476076ba57ca96236b329b470
SHA512fd29574acc6f30a7c0e89e5085c5d42e565c6ec0e4c15b00b11c00506f511829dfa03ecce84a149d444724ae70e2e6473bed1761a215c612b4b2f2457664012e
-
Filesize
255KB
MD5e6eeff10ad6ab162fb6d1170cae8618b
SHA1fd614cbca3d38a30655b710ea37445bab735defc
SHA256c5915e19505f4328109cd1be0c9721fcb155c0e682305da5da0265e1f0c15a4a
SHA51232b870a87dbb211d1923ca7b136a01c028281ce3eebeb324284ef8d0a6fe0ad56e06d76ddea42ea47c1eb2e02c12ed4fd622e4ea5785705be32c9efe0b37d0f6
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD5126a4148a1d4e446dc3a7a245f2a4bef
SHA1d5945ba904d1b7421187229c3169db0546f7f451
SHA2565cfbccd31718fc27f4ea52cd8c4f6872a591334aaded78a8a7cc67fa0b4014b8
SHA5128a2bf2a96a078e28352ab20c149ed9d09d15b1b418341ba8ae8845c87186f62afc31c2da9dcb6274f8be9f6a972a705760d179568bd74535b8b92a29ded4ea83
-
Filesize
5KB
MD59184c67f2c19112f7856a3906559b6a8
SHA13d3e61135dfffe617738eebc242303d1ce31f57a
SHA256d11a0d54ef5cacfea22ea6314b8e028e21b011084af34a1ceeb34a1c2c761fec
SHA51219455243c78327d9e346c446752cb2b3e595111c19a997cfa0c9b6552447c2ddffa6bf48811f35876627153c5d48dc82ae10f2ea1baa30b51368d313dd59d8e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
255KB
MD5c734819938851a80346821391f5de93d
SHA187d93c01f299b00bd18851f8ddd22725a2142808
SHA256de7761bceb4d0ff51b957a7b355fd10d663ff03cb5299cc0858ef2580bbcf37c
SHA51202b0f853ab50cb4e0d3352fc35476763c05f1b115a09176a09f27f1de4c5c89f5556c2719857cc686ad3f46221ef29a0c0a5090f357c109ec4b690415583191f
-
Filesize
8.6MB
MD5f0d4dc6dedb92543a85ddfdd88cc48df
SHA170275da00c15f02664e061025a2e0cdd0b758ba8
SHA256e41c385d5bf0212672e96fe164f6e856a40dcaf4aabf6a7746fc3ad15e961f1c
SHA5128a071a158a3c6307d65f2a4dbf0a06670cc813492d2736f8ec41e909435fa64624a66d4b20cdecb6885a2f1e54dec8de4f490162d4e21933e280aaee70dcde78
-
Filesize
30.5MB
MD59329cfae526eaceb4d736807ea49138b
SHA11e546fa9ff53532b68b4108174e17453a3287f1e
SHA25651bad3dea5d533cf53779f852b106dacc356991e5ffd0878c3c7abe9cd6bd9d8
SHA51210454741c8feedab1cf6fad290d1ec96f6822c63f20ebc827c70732ca861c0882ce2cfea8732f3137bd89fb9cddefa58fc9f299e47e2ff9eab604989f468f9ec
-
Filesize
6KB
MD5ba3630939222d99dcb853d54210514ab
SHA189d496d575863f0ceaf29a78c532a6a3d9e33ab3
SHA256fbb06d0c6745ec7b1843edb80595f53a6669ee74282458321dc7bc170773b01a
SHA512243b5dbac1ba3d5a3fd15de395c1033253aa5790a23257678f1d11463fb53d84fa91e4e15673d11deddab733465185cfb8cf51b8c7b5dceed53330cfb9a889c1
-
Filesize
93KB
MD5984cad22fa542a08c5d22941b888d8dc
SHA13e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA25657bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA5128ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef
-
Filesize
1.5MB
MD5a5412a144f63d639b47fcc1ba68cb029
SHA181bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA2568a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA5122679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405
-
Filesize
56KB
MD57b1fbe9f5f43b2261234b78fe115cf8e
SHA1dd0f256ae38b4c4771e1d1ec001627017b7bb741
SHA256762ff640013db2bd4109d7df43a867303093815751129bd1e33f16bf02e52cce
SHA512d21935a9867c0f2f7084917c79fbb1da885a1bfd4793cf669ff4da8c777b3a201857250bfb7c2b616625a8d3573c68395d210446d2c284b41cf09cc7cbb07885
-
Filesize
56KB
MD52c4d9e4773084f33092ced15678a2c46
SHA1bad603d543470157effd4876a684b9cfd5075524
SHA256ed710d035ccaab0914810becf2f5db2816dba3a351f3666a38a903c80c16997a
SHA512d2e34cac195cfede8bc64bdc92721c574963ff522618eda4d7172f664aeb4c8675fd3d4f3658391ee5eaa398bcd2ce5d8f80deecf51af176f5c4bb2d2695e04e
-
Filesize
477B
MD5ad8982eaa02c7ad4d7cdcbc248caa941
SHA14ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA5125c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28
-
Filesize
4KB
MD5dbbb592f187a7a5e4b796fe90cc24298
SHA10f47f3bbb8f888ccb0248e63eddf5eecdbece404
SHA256c838bb0e1091e04e4b40a174524f304be5f4565ef39efcd53b5f2047b7b20fea
SHA5122b744097195ec403d640c94efa8688d5c67b582c6cbbb1e5168e5ebe8128c68d410c74c9657ac7fdd2aaf5270fca4ce965d53012c8342276804cb24726c89df4
-
Filesize
10KB
MD5487a239eacee993486617446499e898a
SHA1cbae28266ca1eb02c21aabf0752881a490982702
SHA256dc9f7c0db1ab7d8f6ff892c4e46d4be81add06a822b1765e9f32df45188af007
SHA512e17d7302b190b421d10b43c98ef8647c73f3f2fa0b6fbcac31164291380b2a11faabf41c0cf6cd7b56e3c92f7b83203e7d31ce8fdab0a61069316a79b28a37b3
-
Filesize
309B
MD54a12b32503f13ef911e620e2a0d026ca
SHA1225c9e82f373b5dd81cbfb7ea0e93c2a3a78e9b9
SHA256407069061c937033935519778f6bb5ef94898814c65418e504ef54336375953d
SHA5126aa6ac22bae5181f53d2d78a85c7f4045082320966e764acf53024744ddb9c584077dc5f8f874854fc64094810216aff5e27d64e502fc906629be11a633d05a1
-
Filesize
4KB
MD51f2b7f4956d1954db7555a5d9e765767
SHA1945dd0f8e63dc126ecc82c06480c972fa7eb4a5f
SHA25685ac3769d0ca3b0f2489cbfb23cb4eabcb438eb5984bbe6fd554513d4c6abc82
SHA5125a60ac7a401fc35a11362765715f3f3010828e2f0db2a31fd119b9bfda6b16487ae8437585488c4e9db784dc0aca7aba4aa9e765d7758cd0aa4bbea3ed98616f
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
2KB
MD53269bd190339f00b75c108ea7d27ac83
SHA1413f79a17fb5d0f5a2bf93c06478bac94a8c6b44
SHA25650c59b673ac04246af6c158ea50a5119689c7b23cab76fe547186e472d46fa0a
SHA512b6bc79c5672a18798f969fd09f662f48cce17cdd1c6ef918757456dacac7d1ab10891028492b2c80167c47e0e5284968305e8c97db12495216e48623b13a6740
-
Filesize
111B
MD5d6f81567baaf05b557d9bc6c348cb5f1
SHA10c840165fcd34d996c85b6b44b00c7206bf772b6
SHA256e60413bec64775bf1933ef4f9673c8bcfbe0ce71e950fd589bbd14c0f9a00359
SHA51209b84cc9199592821d7de38cbe24332097b276bb25b6d09f7dcdc3a6b17369ee944a6f8120f13ea6a5c15eb759a90d7ce29cc845a5c0680ff2fa53e2623171e2
-
Filesize
5.9MB
MD5bb097c6974168f61110c561ad603a10b
SHA1064835546c1fb19bd956d21207063092f39ba106
SHA25609cab56f16c0f28ad1ce7add649b361cdb9d4a949be4245b5b539bb5b9dbe677
SHA512270fb32673dddb8694da0d5bd93413bcbaeb783f9f746c1a194650ea146b3c58021b3bdffe38101ed1773888daddd90f8c89d8f9767cfdc74d6667b20b238b1d
-
Filesize
10.9MB
MD5fcde498ff832ed6a6ffc880aa1a911b5
SHA190f3a200905db2790823ffb488dd604693b735bb
SHA256a702133147f6472bc476cdde68694b8ddd03d8b66b2da8a4cb3f227ded90490a
SHA512c1a28b84ad42a0ad151b3f957009a79fb95a362d2e5e0561552047f46d38a2070469ab9ff1221ff35abd5d027c818787cb7b8f4e3a5ad7745ba20ccbeae1b21b
-
Filesize
515KB
MD5ac3a5f7be8cd13a863b50ab5fe00b71c
SHA1eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9
SHA2568f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da
SHA512c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba
-
Filesize
285KB
MD5bcbb7c0cd9696068988953990ec5bd11
SHA13c8243734cf43dd7bb2332ba05b58ccacfa4377c
SHA25634f64699d4830145cae69bd40115b1f326e70fc6a98456cb3df996d947dddca4
SHA512551a2e3aa5fc7c0e79c3bd7c5333df5f1920ea83fe35b99adbbe865ea926fa772d72709bde2ea8f2685f4914cd96ff7b5b6f894f9b99f1120c2abe89c390a786
-
Filesize
4.4MB
MD51692aec61ddcdda471defa199c62d25a
SHA1484af221468ddb534b74e12970de80d5dfee2b28
SHA25684bde632c5bfd2a7ff84e579e6f7561543ca0aad6d8e7275dae5926ba4f561c1
SHA51219155d0770fc0931ab8ac1bf35f56b32c8c122379adac6866b07cebec28932f92be124638cd7bb9fdaff5edd091f3af0c1fbd0757a99de44e24f11214f13329a