IOC Report
https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi

loading gif

Files

File Path
Type
Category
Malicious
C:\Users\user\Desktop\cmdline.out
ASCII text, with CRLF line terminators
modified
C:\Users\user\Desktop\download\OPNC-v1.1.25.0.msi
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {E36AFA06-1EFD-49D1-8CD4-4C1A142E76B2}, Number of Words: 10, Subject: OPWC, Author: OPWC, Name of Creating Application: OPWC, Template: ;1033, Comments: This installer database contains the logic and data required to install OPWC., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Feb 1 04:04:35 2024, Last Saved Time/Date: Thu Feb 1 04:04:35 2024, Last Printed: Thu Feb 1 04:04:35 2024, Number of Pages: 450
dropped

Processes

Path
Cmdline
Malicious
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi" > cmdline.out 2>&1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\wget.exe
wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi"
C:\Windows\System32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding

URLs

Name
IP
Malicious
https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi
malicious
https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi
3.160.156.148
malicious
https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msir
unknown
malicious
https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi)
unknown
malicious
https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msiNA-PCN
unknown
malicious
https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msiCESSOR_
unknown
malicious
http://d2q8odwdblz94i.cloudfront.net
unknown

Domains

Name
IP
Malicious
d226ryxb715ss0.cloudfront.net
3.160.156.148

IPs

IP
Domain
Country
Malicious
3.160.156.148
d226ryxb715ss0.cloudfront.net
United States

Registry

Path
Value
Malicious
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.FriendlyAppName
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.ApplicationCompany
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Mozilla Firefox\firefox.exe.FriendlyAppName
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Mozilla Firefox\firefox.exe.ApplicationCompany
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Internet Explorer\iexplore.exe.FriendlyAppName
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Internet Explorer\iexplore.exe.ApplicationCompany
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.FriendlyAppName
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.ApplicationCompany
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\system32\mspaint.exe.FriendlyAppName
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\system32\mspaint.exe.ApplicationCompany
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\system32\NOTEPAD.EXE.FriendlyAppName
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\system32\NOTEPAD.EXE.ApplicationCompany
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files (x86)\Microsoft Office\root\Office16\Winword.exe.FriendlyAppName
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files (x86)\Microsoft Office\root\Office16\Winword.exe.ApplicationCompany
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files (x86)\Windows Media Player\wmplayer.exe.FriendlyAppName
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files (x86)\Windows Media Player\wmplayer.exe.ApplicationCompany
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE.FriendlyAppName
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE.ApplicationCompany
There are 8 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
14E2A449000
heap
page read and write
14E2A3C9000
heap
page read and write
14E2A2DA000
heap
page read and write
14E2A2E9000
heap
page read and write
2B87000
heap
page read and write
14E2A442000
heap
page read and write
14E2A47D000
heap
page read and write
14E2845D000
heap
page read and write
2B81000
heap
page read and write
14E2A463000
heap
page read and write
14E284AF000
heap
page read and write
14E2A2DE000
heap
page read and write
14E2A452000
heap
page read and write
14E2846D000
heap
page read and write
14E2A44F000
heap
page read and write
14E2A3BD000
heap
page read and write
14E2A2D5000
heap
page read and write
14E2A491000
heap
page read and write
14E2847D000
heap
page read and write
14E28476000
heap
page read and write
14E2A462000
heap
page read and write
14E2A435000
heap
page read and write
14E2A2E9000
heap
page read and write
14E2A2F2000
heap
page read and write
14E2EE00000
heap
page readonly
14E2A2DE000
heap
page read and write
14E28488000
heap
page read and write
14E2A2DE000
heap
page read and write
14E2A3EB000
heap
page read and write
14E2A2DA000
heap
page read and write
14E2A2D5000
heap
page read and write
14E2A2D5000
heap
page read and write
9CC000
stack
page read and write
14E2845E000
heap
page read and write
14E2A44F000
heap
page read and write
2B76000
heap
page read and write
14E2A3C1000
heap
page read and write
14E2A3C5000
heap
page read and write
14E2A3C1000
heap
page read and write
14E2A463000
heap
page read and write
9B000
stack
page read and write
14E28494000
heap
page read and write
14E2A434000
heap
page read and write
14E2A2B0000
heap
page read and write
105C000
heap
page read and write
14E2A2ED000
heap
page read and write
14E2A2E9000
heap
page read and write
14E2A3C3000
heap
page read and write
14E2A2DA000
heap
page read and write
105E000
heap
page read and write
14E2A441000
heap
page read and write
2B7E000
heap
page read and write
14E2A2C8000
heap
page read and write
14E2A3CB000
heap
page read and write
14E2CF60000
heap
page read and write
14E2845B000
heap
page read and write
14E2A3A2000
heap
page read and write
14E2A3CB000
heap
page read and write
14E28451000
heap
page read and write
14E2A464000
heap
page read and write
14E28459000
heap
page read and write
14E28250000
heap
page read and write
FCE000
stack
page read and write
14E2A2F2000
heap
page read and write